Less than a week after the reports of OnePlus customers finding fraudulent charges on their credit card statements appeared, Chinese smartphone maker OnePlus has confirmed that its website was indeed breached. The company revealed that credit card information of upto 40,000 users may have been stolen.
In a post on its forum, OnePlus stated that the company’s official website OnePlus.net was breached sometime in early November, 2017 and the attackers placed a malicious script on the payment page. This script stole all the credit card information entered on the payment page during mid-November 2017 and January 11, 2018. Among the details that were stolen were the credit card numbers, expiry dates and security codes, essentially everything needed to use the credit card unless there is a second-factor authentication involved.
The company noted that the customers, who used saved credit cards or PayPal to pay for orders during the breach period, were not affected. OnePlus is emailing the consumers, who were potentially affected by the security breach, and offering them one-year of free credit monitoring service.
Although OnePlus hasn’t mentioned whether the breach extended to the company’s India website – oneplusstore.in, it seems unlikely given the hackers reportedly only breached OnePlus.net.
If you had made any purchases on OnePlus.net during the mentioned period, it will be wise to check your credit card statements for any mystery charges. Even if you don’t see any fraudulent charges, ask your provider to deactivate your credit card and get a new one issued.
“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” OnePlus said in a statement.
When the hacks and security breaches are increasingly becoming commonplace, it is baffling to see why OnePlus didn’t have more robust security in place when that website is sole store for purchasing OnePlus items in many countries. Also, the breach went unnoticed for two months and unless the consumers themselves had noticed fraud charges on their credit cards, the company would have had no idea that their payment page was hacked.