Update — April 5, 2026: ShadowByt3s has followed through on its threat and published the full 10GB dataset. In a new forum post, the group confirmed Starbucks did not respond to their ransom demand and that the S3 bucket was closed, indicating Starbucks became aware of the exposure. The data is now available on the group’s dark web leak site. The same post includes an active insider recruitment pitch offering a 30/70 revenue split to anyone willing to provide internal access to future targets, a detail that raises questions about whether the group is seeking to expand operations beyond what they can access independently. A screenshot of the updated forum post is below.
A threat group calling themselves ShadowByt3s posted alleged Starbucks data for sale on underground forums on April 1, 2026, claiming extraction of 10GB from a misconfigured AWS S3 bucket named “sbux-assets.” The group set an April 5 deadline at 5:00 PM, threatening full public data release if Starbucks does not pay ransom. Proof and sample links were provided along with a Telegram channel available for files exceeding 1GB.
Starbucks has not acknowledged any security incident related to this claim. The forum account has limited history with no verified prior breaches of this scale.
What Was Allegedly Taken
ShadowByt3s claims the sbux-assets bucket contained sensitive operational and development material. That includes firmware for Mastrena II espresso machines and FreshBlends smoothie stations, source code for a Global Management UI used to oversee hardware across international regions, and an Inventory Management Portal for tracking hardware and vendor orders.
On the developer side, the group claims JavaScript bundles with hardcoded API endpoints and authentication logic, staging folders that may contain temporary credentials or internal notes, and internal branding assets for Starbucks and partner vendor Blue Sparq.
Not Starbucks’ First Breach
Starbucks disclosed a separate data breach earlier this year after detecting unauthorized access to Partner Central accounts on February 6. Partner Central is an internal portal employees use to manage payroll, benefits, and personal information.
Hackers obtained employee credentials through a phishing campaign using fake login pages mimicking the portal. The unauthorized access ran from January 19 to February 11 and affected nearly 900 employees, exposing names, Social Security numbers, dates of birth, and financial account information. Law enforcement was notified and affected employees were offered identity protection services. The two incidents appear unrelated.
Credibility Questions
Several factors undercut the claim. No independent security researchers have reported finding a publicly accessible Starbucks S3 bucket. It is worth noting the claim was posted on April 1, a date widely associated with hoaxes and pranks.
ShadowByt3s is also actively recruiting corporate insiders, offering a 30/70 revenue split with no upfront cost required. That pitch suggests the group may be seeking access they do not yet have.
Verification Status
This claim remains unverified. BreachNews has not obtained, analyzed, or authenticated any of the alleged data and cannot confirm whether the files are genuine, fabricated, or aggregated from prior exposures. Publicly accessible S3 buckets are a well documented attack surface, but exposure requires confirmation beyond a forum post. Starbucks has not issued any public statement acknowledging this claim. This article will be updated as the situation develops.
