In a glaring security lapse, customers of 7-Eleven stores across Japan have lost millions of yen after scammers gained access to their online accounts.
The store launched a smartphone app for cashless payments earlier this week without realising the security risk.
Around 900 customers have had their accounts compromised and lost a combined 55 million yen ($510,000, £410,000), 7-Eleven said.
The chain has suspended the service and promised to reimburse customers.
In a statement, 7-Eleven said that third parties were able to access the accounts of people using its 7pay app, impersonate those people, and charge their accounts through the registered credit or debit card.
According to US tech site ZDNet, the mistake allowed hackers to request a password reset of any stranger’s account.
They were then able to have a recovery link sent to their own email, rather than the original account holder’s.
Only minimal information was required for the reset request – like the date of birth and email address of the original account-holder.
In many cases, such information was easily available online.
The convenience store chain said it had stopped accepting new users and suspended the charging of the app via credit cards.