900 accounts were compromised.
The operator of 7-Eleven convenience stores in Japan announced that some 900 customers using its mobile payment service - launched just days before at over 20,000 stores - had lost a total of ¥55m (US$510,000) due to unauthorized access to their accounts.
Seven Pay Co. president Tsuyoshi Kobayashi told a news conference in Tokyo that the company will compensate users for the losses caused by fraudulent access.
New user registrations were already suspended, he added, as well as functions that allow users to add funds that can be spent using the 7-Pay application.
Security experts warn that attackers that compromised user accounts now have access to even more sensitive information.
"A simple application penetration test performed by a security expert would have found this issue. While penetration tests on their own are not sufficient for building secure applications, they are essential for ensuring that trivially exploitable flaws like this are discovered before launch,” Synopsys senior principal consultant Amit Sethi said.
“Attackers that compromised user accounts now have access to the users’ e-mail addresses, phone numbers and potentially birthdates. Additionally, they might also have seen the users’ previous transactions and other potentially sensitive information. The attackers may use this information in the future to target the users with highly convincing phishing attacks."
"This vulnerability allows anyone with my name and date of birth to reset my password to a password of their choice, and compromise my account. This sort of vulnerability can be easily detected by a human tester. It is therefore surprising that this vulnerability was not detected earlier,” HackerOne EMEA sales engineer Laurie Mercer added.
Do you know more about this story? Contact us anonymously through this link.