Hackers Exploited A 7-Eleven App Flaw To Steal $500K From Customers

Customers of a Japanese-American payment app have suffered a major blow due to a cyber attack on the app. As revealed, hackers exploited serious vulnerabilities in the ‘7pay’ mobile app to pilfer over $500,000. Ironically, the 7-Eleven app flaws exploit took place soon after its launch.

7-Eleven App Flaws Exploited

Reportedly, the mobile app belonging to the Japanese-American chain of convenience stores 7-Eleven Inc which suffered a cyber attack. Hackers exploited 7-Eleven app flaws to pilfer thousands of dollars from customers.

As revealed by Yahoo Japan, the 7-Eleven mobile payment app ‘7pay’ had some obvious security vulnerabilities that risked all customer accounts. Consequently, it didn’t take long for the attackers to exploit the vulnerabilities for their malicious gain.

7-Eleven Inc. launched the mobile payment app on July 1, 2019. The app was supposed to facilitate customers in making smooth online payments via barcodes. After making a purchase, a customer would simply show the barcode to the cashier who would then scan the barcode for billing.

Nonetheless, right after its launch, customers began complaining about some unauthorized transactions from their accounts. As disclosed in a company’s press release later, they first received the complaint on July 2, 2019.

Upon digging further into the matter they could identify ‘illegal use’. While the cause of the attack remained undetermined initially, Yahoo Japan pointed out some security issues with the app. It turned out that the weakness in the password reset feature of 7pay could have triggered the attack.

Knowing the email address, date of birth, and phone number, it turned out that a third party could change the 7pay 7-Eleven app password.

Furthermore an attacker could receive the password reset account on any other email unrelated to the one registered with the app. (Tough, doing so would notify the registered email address as well.)

Moreover, the app also lacked two-step verification.

Furthermore, because there is no second authentication such as SMS authentication, it is possible for a third party to take over.

The attackers could exploit these flaws and managed to pilfer 55 million Yen (~$510,000) affecting 900 customers.

Service Suspended For Now – Customers To Be Reimbursed

After receiving the first complaint on July 2, 2019, 7-Eleven began investigating the matter that made them quickly realize fraud of over $500K had occurred. Following this discovery, the company immediately put up a notice to alert the customers of the matter. They stopped charging through debit/credit cards, and also announced a halt to new registrations on the 7pay app and charges through other means.

Seven-Eleven storefront cash register at Seven Bank ATM, cash charges from ATMs and nanaco points will be suspended, and all charges will be suspended.

Since they have acknowledged the issue, they assured customers that reimbursements would be made to the amount pilfered. The services remain suspended as they proceed with the investigations.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients