OnePlus has sent a letter to customers this morning, and confirmed in a post on the company's forums, that it was the target of a credit card hack. The attack was accomplished via a malicious script injected into the OnePlus.net payment page code, and allowed the attackers to see customer's credit card numbers, expiration dates, and security codes - enough information to easily allow those cards to be used for fraudulent purchases. Days ago, some users had begun reporting fraudulent card activity on cards they'd used on the site.
OnePlus says the code was injected into its servers sometime in mid-November - just as the OnePlus 5T was about to launch. OnePlus is uncertain how many customers' card numbers were actually compromised, but it's sending a message to anyone who may have been affected this morning to let them know. A total of 40,000 customers are in the potentially affected group. OnePlus says saved credit cards entered into its systems before mid-November are not affected, nor were PayPal customers.
The company is conducting a security audit and will be implementing a more secure form of credit card payment at some point in the future, but you can probably assume that for the time being PayPal will remain the only available payment option. Undoubtedly, the lack of a credit card payment option is going to affect OnePlus' sales numbers here in the US, and the damage to the company's reputation has got to be a major concern.
OnePlus will be figuring out a way to provide the potentially affected group of customers free credit monitoring for one year, but your best course of action here if you received an email from OnePlus is to cancel the credit card associated with your account. OnePlus says cards saved in its system before the breach in November are safe, so if that's the case for you, maybe just keep an eye on things. But if you gave OnePlus your credit card information in the last two months, you need to act now.
Here's the full statement from OnePlus.
We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.
- What happened
One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
- The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
- We have quarantined the infected server and reinforced all relevant system structures.
- Who's affected
- Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
- Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
- Users who paid via a saved credit card should NOT be affected.
- Users who paid via the "Credit Card via PayPal" method should NOT be affected.
- Users who paid via PayPal should NOT be affected.
- We have contacted potentially affected users via email.
- What you can do
- We recommend that you check your bank statements and report any charges you don’t recognise to your bank. They will help you initiate a chargeback and prevent any financial loss. · For enquiries, please get in touch with our support team at [email protected].
- If you notice any potential system vulnerabilities, please report them to [email protected]. This is a monitored inbox, but we may not be able to respond to all reports.
- What we are doing
We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.