The hack resulting in the company discontinuing the app.
In early July 2019, 7-Eleven Japan suspended a recently-launched mobile payments feature on its 7Pay app after a flaw allowed a third party to make bogus charges on hundreds of customer accounts. The company released the feature on Monday, July 1st: it allowed customers to scan a barcode with the app and charge a linked credit or debit card. However, the company received a complaint the next day: a customer noticed a charge that they didn’t make.
A hacker would only need to know a user’s date of birth, their email, and phone number, and could send a password reset request to another email address. The app also defaulted people’s birthdates to January 1st, 2019 in instances where they didn’t fill out the field, making it even easier for someone to break into an account. The hackers appear to have automated the attack, and according to the company, around 900 individuals had their accounts targeted and charged ¥ 55 million ($500,000).
7-Eleven Japan says that it has suspended the feature by stopping the app from charging linked cards, posted a warning to the 7pay feature’s website, and has stopped registering new users. The company also says that it will be compensating users who had their accounts hacked, and set up a support line.
7-Eleven Japan thought using two-factor authentication for its just-released mobile payment feature would be too much of a hassle for users, a gamble that quickly cost the company consumer trust.
In the days after the convenience store chain rolled out 7pay on July 1, hackers made off with over 38 million yen ($350,000) from unsuspecting accounts.
Now parent Seven & i Holdings will shut down the service altogether in late September.