Reports earlier this week that credit card data was being intercepted on the OnePlus website has been confirmed by the company, with the affected users totaling around 40,000.
In a post officially revealing what happened, OnePlus said that one of its systems was breached, allowing hackers to insert malicious code "to sniff out credit card info." More users were not affected because the code apparently worked intermittently, sending info directly from a user's browser. OnePlus said the code has since been removed and the infected server has been "quarantined".
The company also offered details on those affected:
- Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
- Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
- Users who paid via a saved credit card should NOT be affected.
- Users who paid via the "Credit Card via PayPal" method should NOT be affected.
- Users who paid via PayPal should NOT be affected.
- We have contacted potentially affected users via email.
OnePlus advised users to watch their credit card statements for unusual activity and to email its security team if they notice other problems.
What it plans to do to keep this from happening again? "We are working with our providers and local authorities to better address the incident," the post said. "We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit."
When the breach was first reported, OnePlus shutdown its credit card servers and started to investigate. Credit card payments are still suspended, but PayPal can still be used for purchases.
Via: The Verge