OnePlus has concluded its investigation into reports of a potential data breach on OnePlus.net. Unfortunately for users, the Chinese smartphone maker has concluded that it did indeed suffer a data breach that could potentially affect around 40,000 users.
The breaches were first reported on OnePlus’ forums when users noticed unusual activity on their credit cards (CC) following a purchase from OnePlus.net. On 16 January, following the reports, OnePlus disabled payments via CC on its site while it conducted investigations. At the time, OnePlus claimed that payments on the site occur via a secure, third-party provider and that OnePlus neither stores nor has access to user data.
Three days later on the 19th, by which time OnePlus appears to have concluded its investigations, the company discovered that one of its systems was attacked and that CC data for 40,000 users may have been stolen.
“A malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” confirms OnePlus’ Mingyu in a forum post. The script captured CC data from a user’s browser and transmitted that information elsewhere.
Users who performed CC transactions on OnePlus.net between mid-November 2017 and 11 January 2018 are affected, it seems. Only those users who entered CC information to the site are affected. Those who used saved CC data or paid via PayPal are unaffected.
OnePlus claims to be working with users and local authorities to address the issues. The company also claims to be conducting a security audit to find and plug any other potential security holes. Affected users will be informed via email.
“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” says OnePlus.