7-Eleven Japanese Customers Lose $500,000 due to Mobile App Flaw (Jul 4, 2019)
Unknown threat actors were able to steal over $510,000 USD (¥55 million Yen) from approximately 900 customers of 7-Eleven Japan. Researchers found that the mobile application had a password reset function that would allow the password-reset link to the actor’s own email instead of the one associated with the account. The actors launched automated attacks with data including date of birth, email addresses, and phone numbers to brute force their way into the accounts. Once illicit access was gained, the actors were able to steal over $500,000 from the 7-Eleven accounts.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to have mobile application policies in place for all devices used by your company.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.