7-Eleven Japan shut down a mobile payments app after only two days because hackers exploited a simple security flaw and customers lost over $500,000

Advertisement
7-Eleven Japan shut down a mobile payments app after only two days because hackers exploited a simple security flaw and customers lost over $500,000

7-Eleven

FlickrCC/Mike Mozart

7-Eleven Japan released a mobile payment app 7pay that had a security flaw for resetting passwords, and users lost a total of about $510,000.

Advertisement
  • On July 1, 7-Eleven Japan launched a mobile payment app, called 7pay, that had the security flaw of allowing anyone to reset any other user's password, ZDNet reported.
  • Bad actors accessed 900 customers' accounts and made off with the equivalent of about $510,000, the company says.
  • 7-Eleven Japan has shut down the app and promised to compensate users for the money they lost.
  • Read more on the Business Insider homepage.

On July 1st, 7-Eleven Japan launched 7pay, a new mobile app that allows customers to make purchases at its convenience stores, which are widely popular in Asia. But two days later, 7pay was shut down, after the company advised customers that third parties had accessed some accounts.

All told, the company said in a press release, over 900 customers had their accounts accessed, and they lost a collective total of ¥55 million, the equivalent of about $510,000. It promises compensation for affected users.

7pay was 7-Eleven's mobile wallet system, allowing users to make in-store payments by scanning a barcode at the cash register tied to a credit or debit card, similarly to systems like Walmart Pay.

The way it went down, reports ZDNet and Yahoo Japan, is that some bad actors had exploited a simple security flaw with the password system - specifically, that anybody could reset any 7pay user's password.

Advertisement

The issue, per those reports, was that 7pay only required the user's email address, phone number, and date of birth to reset a password. Once all of that information is entered, however, it will apparently send a link to reset the password to any e-mail address you choose, even if it's not your own.

In other words, unauthorized parties could allegedly the reset link to their own accounts, create their own passwords, and access that account, without any sophisitcated hacking technique. From there, those hackers could have theoretically walked into any 7-Eleven store that accepts 7pay and made purchases with somebody else's account.

Read more: NASA Jet Propulsion Laboratory network was hacked by targeting a Raspberry Pi that wasn't supposed to be connected to it

After the app launched, 7pay users tweeted about being locked out of their accounts.

A spokesperson for 7-Eleven did not immediately respond to a request for comment.

Advertisement

{{}}