On Thursday, 7-Eleven Japan suspended a recently-launched mobile payments feature on its 7Pay app after a flaw allowed a third party to make bogus charges on hundreds of customer accounts.
The company released the feature on Monday, July 1st: it allowed customers to scan a barcode with the app and charge a linked credit or debit card. However, the company received a complaint the next day: a customer noticed a charge that they didnt make. The app had a flaw, according to Yahoo News Japan (via ZDnet). A hacker would only need to know a users date of birth, their email, and phone number, and could send a password reset request to another email address. The app also defaulted peoples birthdates to January 1st, 2019 in instances where they didnt fill out the field, making it even easier for someone to break into an account.
In this instance, hackers appear to have automated the attack, and according to the company, around 900 individuals had their accounts targeted and charged ¥ 55 million ($500,000). 7-Eleven Japan says that it has suspended the feature by stopping the app from charging linked cards, posted a warning to the 7pay features website, and has stopped registering new users. The company also says that it will be compensating users who had their accounts hacked, and set up a support line.