January 22, 2018 at
OnePlus confirmed last week that they’ve experienced a massive data breach which exposed almost 40,000 of their customers’ credit card information. The China-based phone manufacturer, sent affected customers an email last week. In this email, the company stated that their website, OnePlus.net, suffered a hack where attackers inserted a malicious script in the firm’s payment page. After injecting the script, the hackers were able to collect sensitive information from customers, including their credit card details.
In a statement, OnePlus confirmed that the malicious script operated by simultaneously sending and capturing information from the affected customer’s browser. The company also confirmed that since its discovery, they have addressed and eliminated the threat. In their statement, OnePlus noted that they have isolated the compromised server and have since enhanced the security measures on all other system servers.
According to the company, any customer who used the official OnePlus.net payment page to enter information between the period of November 2017 and January 2018 could be affected. Sensitive customer information was compromised during the breach, including real names and credit card information.
However, OnePlus did state that any customer who either paid using PayPal or who used a credit card that was saved on their browser were likely not affected by the breach. The company continued to state that any user’s credit card details are never saved or processed using the OnePlus.net website.
A spokesperson confirmed that all information is sent directly to OnePlus’ PCI-DSS payment processor using encryption and is subsequently processed on secure servers.
All potentially impacted customers received emails informing them of the breach. The company will provide potentially affected users with a free 12-month credit monitoring service.
Interestingly, this announcement followed shortly after reports started circulating of OnePlus customers falling victim to credit card fraud shortly after completing a purchase on their official website. Last week, OnePlus, temporarily suspended all credit card payments on its online store, in order to investigate a critical issue in partnership with third-party cybersecurity company.
The issue was reported on OnePlus’ forum by user @superdutynick.
So far, the company has not provided more details regarding the nature of the hack or which script was inserted.
Potentially impacted users have been recommended to check their credit card statements of the last few months and to continue monitoring statements for suspicious activity.
In their email, the company apologized profusely to their impacted customers and expressed their gratitude for the OnePlus community’s understanding in this regard. In addition, OnePlus added that they are working with local law enforcement and their partners in order to efficiently deal with the issue.
The company concluded by stating that they will be collaborating with their payment processing partner to create a more secure payment system to prevent similar hacks in the future.