7-Eleven payment app was hacked; $500k USD stolen

According to web application security testing specialists, 7-Eleven Japan decided to suspend the mobile payment feature recently implemented for the 7Pay app after a third party exploited a vulnerability to make fraudulent charges, affecting hundreds of customers.

The mobile payments feature had just been released on Monday, July 1 and allowed users to scan a barcode with the app to make payments with the card linked to the app. A few hours after its release, the company began receiving reports of unauthorized charges.

The vulnerability in the app was exploited by unidentified hackers; according to web application security testing experts, threat actors only needed to know the date of birth of the victims, their email address and phone number. The attack consisted of sending a password reset request, which would be received at an email address controlled by hackers.

Hackers developed a way to automate hundreds of password reset requests to compromise nearly a thousand accounts, which represented a fraud of around ¥55M (AROUND $500k USD). 

Through its website, the company reported that the vulnerable feature was suspended and at the moment it is not possible to register as a new 7Pay user. Users who have reported hacking their accounts will be compensated by 7-Eleven and in addition the company implemented a special support line to answer the doubts of users concerned about the state of the security of their data.

Japan’s financial and data protection regulators had already recommended to the company to strengthen the weakest points of its IT infrastructure in the past, although it appears that the company did not follow the recommendations made by the Japanese Government. 

According to web application security testing specialists from the International Institute of Cyber Security (IICS), Japanese authorities began an investigation immediately after receiving the report, finding two individuals trying to use one of the compromised user accounts. Chances are these people are somehow linked to the hacker or hacker group in charge of the attack.