7-Eleven, Japan’s mobile payment app which had such poor security measures that the company had to shut it down just a couple of days after its release due to a security flaw that affected around 900 people. In an announcement explaining the issue, “The company admitted that hackers were able to break into 900 users’ accounts and to charge 55 million yen ($507,000) in illegal purchases to their debit and credit cards on file within that period, from July 1st when the 7pay app rolled out to July 3rd when the service was shut down.”
The 7-Eleven mobile app also called 7Pay had a flaw in its password reset function. 7Pay’s implementation allowed anyone to request for a password reset and to make it even more worse, it even allowed the reset link to be sent to any email address, not just the account owner’s. The fraudster only needed the account owner’s email address, date of birth, and phone number. Previous data breaches in Japan has made it quite easy to find the required information, and the date of birth wasn’t even required in some cases since 7-Eleven automatically set it to January 1st, 2019 if the account owner didn’t put in their own birthday.
Hackers quickly took advantage of the massive security flaws to make over ¥55 million ($510,000) of illegal charges. 7-Eleven shut down the service on July 3rd, and the website for 7pay now has the following message.
After the incident, The Japan Times reported, “The country’s Ministry of Economy, Trade and Industry warned the company to boost its security after it was determined that 7-Eleven had failed to carefully follow guidelines to prevent unauthorized access, as well as notify providers of similar services so they could confirm the identity of users. Japanese authorities have also arrested two individuals attempting to use a hacked account. The men are suspected of being connected to (or hired by) a Chinese crime ring known for using stolen identities online.”
The company promises to compensate everyone who fell victim to the breach.