Approximately 900 customers of 7-Eleven Japan have lost a collective of ¥55 million ($510,000) after hackers hijacked their 7pay app accounts and made illegal charges in their names.
The incident was caused by an appalling security lapse in the design of the company's 7pay mobile payment app, which 7-Eleven Japan launched in the country on Monday, July 1.
The 7pay mobile app was designed to show a barcode on the phone's screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user's 7pay app and the customer's credit or debit cards that have been saved in the account.
However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people's accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.
A hacker only needed to know a 7pay user's email address, date of birth, and phone number. An additional field in the password reset section allowed the hacker to request that the password reset link be sent to a third-party email address (under the hacker's control), with no need to dig through the app's code or tamper with HTTP requests, like most of these hacks involve.
Furthermore, if the user didn't enter their date of birth, the app would use a default of January 1, 2019, making some attacks even easier, according to a report in Yahoo Japan.
With so much data about Japanese users lying around the internet from the multitude of past breaches, a hacker only had to compile it and automate an attack.
And so they did.
7-Eleven users began complaining about being locked out of their 7pay accounts a day after the app launched, with many airing their grievances on Twitter [1, 2, 3].
7-Eleven Japan reacted a day later and shut down the 7pay service on July 3.
In a press release earlier today, the company posted a post-mortem of the past few days, admitting that over the course of two days, hackers broke into nearly 900 7pay accounts, and made illegal charges worth ¥55 million ($510,000).
The company promised to compensate all users who lost funds during the hacks.
Earlier today, local media reported that Tokyo police arrested two Chinese men in their 20s for trying to purchase cigarettes using another person's 7pay account. It is unclear if the two suspects are the ones behind the 7pay attack.