Unauthorized third parties obtained email addresses of some CurrentC pilot program participants.
Unauthorized third parties obtained email addresses of some CurrentC pilot program participants.

Just as the merchants supporting CurrentC had began to take clear steps to shut out recently unveiled rival Apple Pay, hackers stole email addresses from the mobile payment app, leaving some to speculate that consumer confidence will drop and Apple could gain an advantage.

In a statement on its website, the Merchant Customer Exchange (MCX), the alliance of retailers behind CurrentC, acknowledged the hack by unauthorized third parties who “obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who had expressed interest in the app.”

MCX noted that many of the addresses “are dummy accounts used for testing purposes only” and that “the CurrentC app itself was not affected.”

The alliance said it has notified its merchant members and “directly communicated with each of the individuals whose email addresses were involved.” The statement reiterated MCX's commitment to “the security of our users' information” and promised continued investigation of the hack.

But in the wake of an ever-growing number of data breaches that have hit Target, Dairy Queen, Kmart and other retailers, it won't take much to send consumers running scared, away from mobile payment options altogether or into the arms of another method, such as Google Wallet or Apple Pay.

“The ‘average' consumer hears the word breach and immediately thinks 'Again?  Another one?'" John Zurawski, vice president at Authentify, told SCMagazine.com in a Wednesday interview. “And the cumulative effect on their feeling of safety online is dented and diminished once again.”

That might not be what MCX wants to hear. Members of the alliance like Walmart and Best Buy, have thrown their weight behind CurrentC, which is still in beta, and have effectively tried to shut out Apple Pay and, as a result, other forms of mobile payment like the established Google Wallet.   

Zurawski and others were quick to point out that the CurrentC app itself had not been breached. “The service was hacked and emails were lost. That distinction is important as a breach contains access to financial data and this hack contains mostly just personal information,” Chris Morales, practice manager of architecture and infrastructure at NSS Labs, said in a statement sent to SCMagazine.com.

While Zurawski contended that “the best time to be hacked is while your product is in beta,” he advocated for stronger security and noted that the incident shouldn't be minimized simply because the hackers just accessed email. “The real worry gets to be what ability do they have to cross-match (emails) to other data,” he said.

And Chris Wysopal, CTO at Veracode, said in a statement emailed to SCMagazine.com that the“breached email addresses will likely be used for phishing and other targeted attacks.”