7-Eleven Japan recently launched a mobile payments feature on its 7Pay app which enabled customers to simply scan a barcode in the app and charge a linked credit or debit card. Merely a week after this was announced, the feature has been pulled after a vulnerability in the app allowed hackers to steal $500,000 from users through bogus charges.
The company had received a complaint about this the very next day after launching the feature on July 1st. A customer had noticed that they had been billed a charge that they didn’t make. The flaw in the app simply required hackers to know the user’s date of birth, email, and phone number.
They could thus send a password request to another email address. If users didn’t fill out their birthdates when signing up, the app would default them to January 1st, 2019. Hackers apparently automated their attack and were able to target around 900 people for roughly 55 million yen or just over $500,000.
7-Eleven Japan has now confirmed that it has suspended this feature and the app can no longer charge linked cards. It also confirms that all users will be compensated. Authorities have arrested two individuals so far on attempting to use a hacked account and are of the view that they might have been connected to or hired by a Chinese crime syndicate that uses stolen identities online.