The phone maker sent an email to customers Friday, saying customers’ credit card numbers, expiry dates, and security codes “may have been compromised.”
The email, posted by Peter Smallbone on Twitter, said: “As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems.”
Several customers also posted the same email on the company’s forums on Friday.
The company is “looking” to provide credit card monitoring for customers affected.
A malicious script was inserted on the company’s pages, capturing and sending data directly from the user’s browser. The script, now removed, is said to have “operated intermittently.”
The company said customers who entered their credit card details on the company’s site between mid-November and January 11 may be affected. The company said that may include “up to 40,000” customers.
Anyone who paid with PayPal aren’t affected, neither are those who paid with a previously saved credit card on file.
Reports of credit card fraud started popping up over the weekend. On Thursday, the company said it was looking into a “serious issue” and “as a precaution, we are temporarily disabling credit card payments” on its site.