On July 1, 2019, the day the 7pay mobile payment app launched in Japan, criminals immediately began exploiting a critical vulnerability in the app’s password reset mechanism. The reset flow allowed attackers to redirect password reset emails to an attacker-controlled address rather than the registered account email, by simply knowing the victim’s email address, date of birth, and phone number — information often available from other breaches or social media. Attackers then used unauthorized access to top up the 7pay balance using stolen credit or debit cards, then purchased goods in-store. Within three days approximately 900 accounts had been compromised and approximately 55 million yen (approximately $500,000 USD) was stolen. Seven & i Holdings suspended new user registrations and the ability to add money to the app on July 3, and shut down the entire 7pay service on July 4 — just four days after launch. The vulnerability reflected a fundamental design flaw rather than a runtime exploit: security was apparently not considered during the app’s design. The incident prompted widespread criticism in Japan of Seven & i Holdings’ security practices and became a cautionary tale about the risks of rushed fintech launches without adequate security review.