40,000 OnePlus customers hit by credit card security breach

oneplus retail store in shanghai
People line up outside the OnePlus retail store to buy a Kevlar version of the OnePlus 2 smartphone in Shanghai, China on August 8, 2015 Marc Yeo/OnePlus

Chinese smartphone vendor OnePlus has confirmed on Friday that a security breach compromised the credit cards of up to 40,000 customers around the world. Users who have entered their card details on its website between November 2017 and January 2018 are at risk of the breach.

"We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users," reads OnePlus' latest statement, adding that "only users who received the email are potentially affected".

Also read: WhatsApp used in mobile data theft, state-sponsored espionage

Last Saturday, the company was first tipped off by a user about an unknown credit card transaction on its website. After its initial investigation and found out substantial evidence that a possible fraud is happening, OnePlus on Monday was forced to shut down any credit card payments.

According to the company's statement, users who have entered their credit card details on the website between mid-November 2017 and January 11, 2018 may be affected. These include card numbers, expiry dates and security codes.

However, those who have paid via a saved credit card, PayPal, and "Credit Card via PayPal" method should not be affected.

OnePlus explains a malicious script was injected into the payment page code to draw credit card information out as it was typed in. The said script stole data directly from the user's browser. The company says they have quarantined one impacted server.

Also read: Malicious Google Chrome extensions found affecting half million users

OnePlus recommends double-checking card statements, and questionable transactions shall be reported immediately to one's bank to be guided to the next steps. Meanwhile, the company has publicly apologised through its forum and thanked its "vigilant and informed community" for its immediate response and understanding.

The company assures customers that they are putting in more efforts to iron kinks out as soon as possible.

"We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future."

This article was first published on January 20, 2018