7-Eleven Japan had to suspend the mobile payments feature on its 7Pay app due to a security flaw that affected around 900 people.
The payments feature, which was launched on July 1, allowed customers to scan a barcode with the app and charge a linked credit or debit card. But according to The Verge, the company received a complaint on July 2 when a customer noticed a charge that they didn’t make. It was then discovered that the app had a flaw that allowed hackers to make ¥ 55 million ($500,000) worth of fraudulent charges on around 900 customer accounts.
The flaw would allow hackers to simply know a user’s date of birth, email and phone number, and could send a password reset request to another email address. Since the app defaulted people’s birthdates to Jan. 1, 2019, when customers didn’t fill out the field, it was even easier for someone to break into an account.
After the incident, The Japan Times reported that the country’s Ministry of Economy, Trade and Industry warned the company to boost its security after it was determined that 7-Eleven had failed to carefully follow guidelines to prevent unauthorized access, as well as notify providers of similar services so they could confirm the identity of users. Japanese authorities have also arrested two individuals attempting to use a hacked account. The men are suspected of being connected to (or hired by) a Chinese crime ring known for using stolen identities online.
In the meantime, the company revealed it has suspended the payments feature so the app can no longer charge to linked cards. It also posted a warning to the 7Pay feature’s website, and it has stopped registering new users. 7-Eleven also announced it will be compensating users who had their accounts hacked and setting up a support line so anyone impacted by the flaw can get in contact with the company.