OnePlus says up to 40,000 customers affected by credit card breach

Popular phone retailer says injected script is to blame, but that it operated intermittently

oneplus 5t dual camera
Doug Duvall/IDG

OnePlus, the company behind a popular line of Android devices, said on Friday that up to 40,000 customers might be at risk after a malicious script compromised payment card data during the checkout process.

Word of the data breach followed numerous reports from customers related to fraudulent charges, which led the company to suspend credit card payments.

In a letter to impacted customers OnePlus apologized for the incident, warning them that their credit card number, expiration date, and security code was likely compromised.

“As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems,” the letter says in part.

“We recommend that you check your card statements and report any charges you don’t recognize to your bank. They will help you initiate a chargeback and prevent any financial loss. If you run into any problems, or need further guidance, don’t hesitate to reach out to us.”

The letter also stated that affected customers will get one year of credit monitoring, however at the time the letter was sent, the exact details of that monitoring was unavailable.

Additional details released outside of the letter on the OnePlus forums explain that the timeline of exposure started in mid-November 2017, and lasted until January 11, 2018 – the date when customers started reporting suspicious charges.

OnePlus stresses the point that they don’t store credit card details and that such information “is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.”

However, as proven, this measure doesn’t prevent all possible avenues of attack, given that a script simply harvested details as they were submitted.  

According to the investigation, customers who used a saved credit card were not impacted. Likewise, if a customer paid with a credit card via PayPal, they too were not part of the breach. Anyone who received the notification letter via email was impacted.

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” the company said.

NEW! Download the Winter 2018 issue of Security Smart