OnePlus admits up to 40,000 customers affected by credit card data leak

Last week members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post-purchase from oneplus.net. The case was soon brought to OnePlus' attention following which the company had provided a statement saying that the company took information privacy extremely seriously and that the company had begun to investigate the case as a matter of urgency.

The company had further announced that it was shutting down credit card payments for its online store and that it would report the findings of the investigation later.

And now, OnePlus seems to have concluded its investigation. The company has, in fact, published its first report on its official forum page. Unfortunately, there might be bad news for some consumers. The company has actually confirmed that credit card information belonging to customers was hacked by malicious (and currently unknown) agents between November 2017 and mid-January 2018.

Besides, the company has said, "We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users."
What Happened?

Further, the company has detailed that one of its systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user's browser.

However, OnePlus has assured that such threat has since been eliminated. "We have quarantined the infected server and reinforced all relevant system structures," the company proclaimed.

Who is Affected?

In a forum post detailing the findings, OnePlus has said that some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected. Further credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may have been compromised.

Users who paid via a saved credit card or via PayPal method should not have been affected.

Meanwhile, OnePlus recommends that if users suspect that their credit card info has been compromised, then they should check their card statement and contact their bank to resolve any suspicious charges. The bank should help users initiate a chargeback and prevent any financial loss.

OnePlus has also stated that if any of the users notice potential system vulnerabilities, they should report them to [email protected]. This is a monitored inbox and OnePlus will respond to the reports filed.

OnePlus' Initiative

While the investigation into potential culprits is still ongoing, and while a spokesperson insists only one server was affected, OnePlus has said, "We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down."

"We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future," the company added.