The company said that the issue affects some of its customers that have shopped online at oneplus.net may be affected by the incident.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said, in a website notice. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”
The malware was live between mid-November 2017 and January 11, capturing card numbers, expiry dates and security codes. However, it didn’t affect everyone: Users who paid via a saved credit card, PayPal or with the “Credit Card via PayPal” method should not be affected. OnePlus has sent out an email to all possibly affected users.
“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” the company said. “We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.”
Those buying a OnePlus smartphone from the e-commerce site during the danger period should take obvious steps to check their card statements and report any charges they don’t recognize to their banks.
“I’m impressed with the meticulousness and expediency OnePlus is taking in providing customers with notification of the breach. Based on recent events, this is not how major companies tend to act,” said Chris Morales, head of security analytics at Vectra, a San Jose, California, based provider of automated threat management solutions, via email. “It’s certainly unfortunate that the breach happened, but not at all surprising. It appears on first take to be similar to how many other retailers have been compromised. A piece of code is designed to monitor and collect credit card information. This is what happened at Target, except that it was local on the point-of-sale terminal. This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction, as attackers can compromise the systems at both ends of any encrypted conversation.”