On Friday, OnePlus has confirmed that at least 40,000 of its customers may have been affected by the security breach. It revealed that the credit card information of those users was compromised after its systems were hacked that forced the company to stop accepting credit card payments on its online store earlier this week.
The company said that a malicious code was injected into their payment page code after targeting one of their systems, in an effort to steal credit card information while it was being entered by the users on the site for making payments. The malicious script was then able to capture and send full credit card information, including their card numbers, expiry dates, and security codes, directly from the user’s browser window.
OnePlus on Friday emailed those who were possibly affected, saying that 40,000, or a “small subset” of its total customer base” were potentially affected by an unknown hacker, between mid-November 2017 and January 11, 2018. It also advised them to keep a close eye on their bank account statements for any fraudulent charges or look into canceling their payment card.
The revelation came a week after many customers reported fraudulent transactions on their credit cards which they used to make a purchase of OnePlus products via company’s official website – oneplus.net. Later the Chinese phone maker had investigated the matter with a third-party security agency.
“We have quarantined the infected server and reinforced all relevant system structures,” OnePlus said in a forum post detailing the findings. “We are in contact with potentially affected customers and working with our providers and local authorities to address the incident better.”
However, the company believes that customers who shopped on its website using their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the breach.
OnePlus is still investigating the incident and committed to conducting an in-depth security audit to identify how hackers successfully managed to inject the malicious script into its servers. The company is also looking into offering a one-year subscription of free credit monitoring service to all affected customers.
Meanwhile, as a precaution, credit card payments will remain suspended on the OnePlus.net store until the investigation is complete, though users can make purchases through PayPal.