Hackers swarmed 7-Eleven Japan’s 7Pay app as the newly launched mobile payment feature had an exploitable flaw that led to sudden unknown charges to over 900 users amounting to $500,000.
The company was forced to suspend the operations of the app after receiving thousands of complaints from users from charges they didn’t make, as per a report from The Verge.
The app initially allowed customers to scan a barcode and charge a debit or credit card linked to it. However, as per Yahoo News Japan, the mobile payment feature had a flaw where the hacker only needed to know the user’s birthday, email, and phone number after which they could send a password reset to another email address. In addition, those who didn’t fill out the birthday field had theirs preset to January 1, 2019, making it easier for hackers to access their accounts.
Hackers then seized the opportunity and automated the attacks, which reached around 900 users whose cards were charged with a total of $500,000, according to Japan Times.
A member from the Ministry of Economy, Trade and Industry in Japan has called out the company to improve its security measures as it clearly didn’t follow the country’s security guidelines.
7-Eleven has since stopped registering new users, posted a warning at their website, and has promised to compensate users whose accounts were compromised. They have also launched a support line for the affected users.
Japanese authorities had arrested two individuals who attempted to use a hacked account after they traced them. Authorities furthered that the two might either be connected or have been hired by a crime ring known for their extensive use of stolen identities.