China-based popular Android smartphone manufacturer OnePlus has admitted that their credit card payment system was indeed compromised. In a forum post, OnePlus have said that one of their systems was attacked to inject a malicious script into the payment page. This script operated ‘intermittently’ and captured credit card details as they were entered.
In an email sent to affected customers, OnePlus said that an urgent investigation was launched as soon as the company was made aware of the attack. Their findings have revealed that some customers who entered their credit card details on oneplus.net between mid-November 2017 and 11th January 2018 may have been affected.
The number of these potentially affected customers is up to 40,000 according to OnePlus. Only those users who entered their credit card details during the said period are said to have been affected. Users who made payments via previously-saved credit card details or using PayPal are not affected.
We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident.
The rogue script was able to capture complete credit card details including card numbers, expiry dates, and security codes. This information was stolen directly from a customer’s browser as is was entered.
Although 40,000 users might have been affected in OnePlus credit card data breach, the company has not confirmed the number of customers whose payment details were used for fraudulent purpose. OnePlus said that the number of affected users represented a ‘small portion’ of its customer base.
As a result of this breach, OnePlus has suspended credit card payments. The company is working with a cybersecurity firm to beef up the security, according to the email sent to potentially affected customers. Customers can buy OnePlus products using PayPal in the meantime.
We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
Following is the email sent to customers potentially affected by the OnePlus credit card data breach.
If you recently purchased a OnePlus product from their website using a credit card, check your statement for an expense you didn’t authorize. Contact your bank imminently if you spot a fraudulent transaction. Read this post on OnePlus forum for more information.