- FlickrCC/Mike Mozart
- On July 1, 7-Eleven Japan launched a mobile payment app, called 7pay, that had the security flaw of allowing anyone to reset any other user’s password, ZDNet reported.
- Bad actors accessed 900 customers’ accounts and ripped them off to the tune of about $510,000, the company says.
- 7-Eleven Japan has shut down the app and promised to compensate users for the money they lost.
- Read more on the Business Insider homepage.
On July 1st, 7-Eleven Japan launched 7pay, a new mobile app that allows customers to make purchases at its convenience stores, which are widely popular in Asia. But two days later, 7pay was shut down, after the company advised customers that third parties had accessed some accounts.
All told, the company said in a press release, over 900 customers had their accounts accessed, and they lost a collective total of ¥55 million, the equivalent of about $510,000. It promises compensation for affected users.
7pay was 7-Eleven’s mobile wallet system, allowing users to make in-store payments by scanning a barcode at the cash register tied to a credit or debit card, similarly to systems like Walmart Pay.
The way it went down, reports ZDNet and Yahoo Japan, is that some bad actors had exploited a simple security flaw with the password system – specifically, that anybody could reset any 7pay user’s password.
The issue, per those reports, was that 7pay only required the user’s email address, phone number, and date of birth to reset a password. Once all of that information is entered, however, it will apparently send a link to reset the password to any e-mail address you choose, even if it’s not your own.
In other words, unauthorized parties could allegedly send the reset link to their own addresses, create their own passwords, and access that account, without any sophisitcated hacking technique. From there, those hackers could have theoretically walked into any 7-Eleven store that accepts 7pay and made purchases with somebody else’s account.
After the app launched, 7pay users tweeted about being locked out of their accounts.
A spokesperson for 7-Eleven did not immediately respond to a request for comment.