Late last week, 7-Eleven of Japan suspended its recently launched payment feature in its mobile app. A loophole in it allowed hackers to hijack accounts and make fraudulent purchases. This reportedly added up to JPY 55 million (~RM2.1 million) from a total of 900 victims.
The 7-Eleven mobile app, called 7Pay, came with a flaw in its password reset function. 7Pay’s implementation allowed anyone to request for a password reset, as it allowed the reset link to be sent to any email address, not just the account owner’s. The fraudster will still need the account owner’s email address, date of birth, and phone number.
7-Eleven Japan said that it will compensate all users who lost their account and funds in it. While the app remains live, the payment feature itself has been frozen. The company has also stopped registering new users for the app.
On a related note, the Japan Times reports that authorities have arrested two Chinese nationals who attempted to use a hacked account. The police believe them to be part of, or hired by, an international criminal group based in China.