Last week, we started hearing word of a potential security breach over at OnePlus. Users were reporting that their credit cards had been compromised shortly after making a purchase on the OnePlus website, which prompted the company to launch an investigation. Today we’re getting the first results from that investigation, and things aren’t looking good for OnePlus or its users.
In a new post to the OnePlus forums, the company tells us what it found during its investigation. As it turns out, OnePlus was indeed attacked, and as many as 40,000 users who shopped at OnePlus.net over the past couple of months might be affected. That, as you can probably guess, isn’t good news for a company that’s been trying to make a name for itself among the behemoths of the smartphone industry.
OnePlus explains that anyone who entered their credit card information on OnePlus.net between mid-November and January 11 might be affected by this breach. OnePlus stresses that those who paid using saved credit card information, credit cards routed through PayPal, or PayPal itself likely aren’t affected by this, which is good news. It also says that it will be contacting potentially affected users by email, so if you’ve bought a OnePlus device within the last couple of months, keep an eye on your inbox.
So, what happened? OnePlus says that one of its systems “was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.” That script operated “intermittently,” and lifted data straight from web browsers. OnePlus says that it has eliminated the script and quarantined the infected server, but for now, credit card purchases remain disabled, with no word on when they might come back online.
Potentially affected users are instructed to watch their credit card statements closely and contact their banks or providers if they see any rogue purchases. In addition to contacting customers that might be at risk of having their card information exposed, OnePlus says it will now work on implementing a new, more secure payment system while at the same time conducting an “in-depth” security audit. We’ll have more information for you as it becomes available, so stay tuned for that.