Inmates of an Idaho prison hacked JPay, a service that lets prisoners accrue credits to connect with the outside world and to access forms of entertainment.  In the process, they added hundreds of thousands of dollars to their JPay accounts, The New York Times reports.

JPay is accessed via secured kiosks and tablets—or at least those that were thought to be secure, but actually had noteworthy vulnerabilities, which allowed 364 inmates to add false credits to their accounts. According to The New York Times, 50 inmates each added more than $1,000 in credits, while one added credits up to $10,000. To set context, Wired reports that it costs 47 cents to send one e-message, and up to $3.50 to download music. Prison wages are between 10 and 90 cents per hour.

The issue that enabled the hack can occur when app data is stored on the device. “In contrast to a web application, where data is stored on a web server, the data on a mobile app is more likely to be stored locally, meaning it remains on the phone or tablet,” explains Wired. As a result, it becomes much easier to hack into.

Illustrating that point, Wired spoke with one security expert who compared the JPay incident to a recently discovered vulnerability on a mobile shopping app. The app stored item prices in an SQLite database, meaning within the app itself, to avoid sending data over the network. If hackers were able to gain access to that back-end data, they could alter purchase prices.

JPay stores credit balances in a similar fashion – on the tablet itself, rather than over a centralized JPay server.

Get the full story on Wired.