Attackers exploit flaw in 7-Eleven app to swindle over $500,000 from Japanese customers

• Around 900 customers are said to have been targeted in the attack, who collectively lost around ¥55 million.
• The attackers exploited a security flaw in 7pay, a mobile payment app developed by 7-Eleven.

Popular supermarket chain 7-Eleven has become the latest victim in a cyber attack. Attackers banked on a security flaw in 7-Eleven’s 7pay and stole around ¥55 million. This was done by making fraudulent payments from 7pay accounts of around 900 Japanese customers. The flaw, which was a faulty password reset function, could allow anyone to access 7pay accounts with password resets.

7pay is a mobile payments app developed by 7-Eleven that was intended for its Japanese customers. It was launched on July 1, 2019.

Key highlights

• Many of the victims reported that they were locked out of 7pay accounts a day after it was released.
• In a press release, 7-Eleven acknowledged the account hijacking incident committed by attackers. The supermarket chain mentioned that around 900 7pay accounts were compromised with fraudulent payments made to the tune of ¥55 million.
• 7-Eleven has assured that it would compensate all victims from this incident. Furthermore, it has taken down the 7pay service for now.
• Regarding the flawed password reset function, attackers who knew a user’s email address, date of birth and phone number, could send password reset links to their own email address subsequently leading to account takeovers.

What actions were taken by 7-Eleven?

In the press release, the company mentioned that it immediately took action after the incident. “Currently, charges from credit cards and debit cards have been suspended, but Seven-Eleven storefront cash register at Seven Bank ATM, cash charges from ATMs and nanaco points will be suspended, and all charges will be suspended. In addition, we will stop the new registration of “7 pay (seven pay),” the company said.