Cyber Incident Victim: Seven-Eleven Japan Co., Ltd.
Date:
Jul 2019
Location:
Japan
Summary
A mobile payment app flaw at Seven-Eleven Japan allowed attackers to hijack nearly 900 user accounts by exploiting a poorly designed password reset function that redirected authentication links to unauthorized email addresses. Using readily available personal data, hackers bypassed security measures—including a default birth date setting—to make fraudulent purchases totaling approximately $510,000 before the service was suspended. The company committed to reimbursing affected customers, while authorities arrested two individuals attempting purchases with compromised accounts, though their connection to the broader attack remains unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The 7-Eleven Japan incident began on July 1, 2019, with the launch of the company's 7pay mobile payment application, designed to allow customers to pay for purchases at 7-Eleven stores by scanning a barcode linked to their credit or debit cards. Within 24 hours of the app's release, users reported being locked out of their accounts, with many taking to Twitter to voice complaints about unauthorized access. The root cause was a critical design flaw in the app's password reset function, which did not require attackers to compromise the app's code or manipulate HTTP requests. Instead, the system allowed anyone to initiate a password reset for another user's account by providing only the target's email address, date of birth, and phone number—all commonly available from prior breaches. A secondary field in the reset interface permitted attackers to redirect the password reset link to an email address under their control, bypassing the legitimate account owner entirely. The vulnerability was exacerbated by a default date of birth setting (January 1, 2019) for users who had not entered their own information, simplifying attacks against those accounts. Attackers exploited this weakness at scale by automating credential resets using precompiled personal data, gaining full access to payment methods stored in compromised 7pay accounts.
7-Eleven Japan suspended the 7pay service on July 3, 2019, following two days of widespread unauthorized transactions. In a July 4 press release, the company confirmed that approximately 900 user accounts had been compromised, resulting in fraudulent charges totaling ¥55 million (approximately $510,000 USD). The attackers used stolen credentials to make purchases at physical 7-Eleven locations, with Tokyo police arresting two Chinese nationals in their 20s for attempting to buy cigarettes using a hijacked account. While the suspects' connection to the broader attack remained unclear, the breach highlighted systemic security failures in the app's authentication design. 7-Eleven Japan pledged full reimbursement for affected customers but did not disclose technical remediation steps or a relaunch timeline for 7pay. The incident marked one of Japan's most significant mobile payment breaches at the time, directly attributable to inadequate identity verification controls during a high-profile service rollout.