The app was troubled from the start, with customers complaining of illegal transactions made through their accounts since day one. According to ZDNet, the app's poorly designed password retrieval method was to blame. Instead of automatically sending an email to the address users had on file, the app allowed them to retrieve their passwords using any email address.
In other words, the high-tech thieves didn't even have to make the extra effort of infiltrating users' inboxes: they only had to find out people's email addresses, their dates of birth and their phone numbers. And we all know how easy it is to look those up these days, with almost everyone having social media accounts. The fact that the app used January 1st, 2019 as the default birthday of everyone who signed up without specifying their own made it much easier for the bad players, as well. All they needed to do after they gained entry to an account was to generate a barcode with the app every time they paid at a 7-Eleven outlet.
The company promises to compensate everyone who fell victim to the breach. Japanese authorities arrested a couple of Chinese men who attempted to pay for purchases amounting to thousands of dollars using stolen 7pay IDs. They now believe that an international group, which includes a hacker, might be involved. While the incident is still under investigation, the country's Ministry of Economy, Trade and Industry has determined that company failed to follow guidelines to prevent unauthorized access. The agency is urging the company boost its security measures if it wants to re-launch 7pay in the future.