Authorities in southern China arrested two people Monday suspected of hacking into the accounts of dozens of shared bike users and stealing their money, Guangzhou Daily reported.

The park-anywhere rental bikes, which usually cost just 1 yuan ($0.15) to ride, are a popular mode of transport in Chinese cities. The companies behind them have already had to deal with stricter regulation, safety and liability concerns, and careless users, and now they have to contend with the security of their apps.

The Shenzhen Municipal People’s Procuratorate, in Guangdong province, busted one suspect surnamed Yang, who allegedly exploited a security flaw in the app of an unnamed shared bike company. Yang is accused of withdrawing money from users’ accounts — including the deposits of several hundred yuan that users pay when they sign up — by changing user information. He transferred the money to his own payment account on WeChat, a messaging app, authorities said.

Yang then informed another suspect, surnamed Wu, of the loophole, the procuratorate said. Wu then found more ways to transfer other users’ money to the suspects’ accounts, and in just two days, the duo allegedly amassed more than 20,000 yuan. They were found out after one of the victims discovered their account balance had decreased and reported it to the company.

The shared bicycle company involved has since closed the loophole and compensated the victims whose money was stolen.

Previous reports have also pointed to security flaws in China’s app-based rental economy and the cashless payment systems on which they rely. In May, during an international security contest named GeekPwn 2017, a programmer cracked four popular bike sharing apps in less than a minute. She managed to log into peoples’ accounts and access their private information.

South China Morning Post reported Thursday that researchers at the Chinese University of Hong Kong had found several mobile payment methods could be hacked, including Alipay, the most widely used digital wallet app in China. They said that payment communications, for example those involving QR codes, could be intercepted and manipulated.

The report noted that the findings had been reported to Alipay, which said in response that the loophole was “nearly unfeasible.”

Editor: Kevin Schoenmakers.

(Header image: A woman scans a QR code to unlock a shared bike in Anqing, Anhui province, Dec. 6, 2016. Ming Huan/VCG)