OnePlus is suggesting that all recent customers check their card statements and report any signs of possible fraudulent activity directly to their bank. The information is the result of an ongoing investigation with a third-party security agency into the breach that caused customers' credit card information to be stolen while they were purchasing OnePlusproducts.
Sensitive banking information including credit card numbers, expiry dates, and security codes may have been compromised. Its investigation has led OnePlus to believe the script was active between mid-November, 2017 and January 11th, 2018.
Last week, OnePlus CEO Pete Lau told CNET that it is exploring partnerships with U.S. carriers, but a spokesperson confirmed that this security breach will not change anything in terms of OnePlus' online sales strategy.
"We can not apologise enough for letting something like this happen".
In a statement to The Verge, OnePlus said it has been able to determine with the assistance of an outside firm the point of entry an attacker used to plant the malicious script. Also, OnePlus said that it had contacted potentially affected users via email already.
"We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident".
OnePlus also clarified that users who paid via a saved credit card should not be affected; Users who paid via the Credit Card via PayPal option are not affected, and users who paid via PayPal are not affected too. It certainly won't help the reputation of OnePlus and while this situation is simply unacceptable from a cybersecurity point of view, OnePlus do get some brownie points for suspending the payment method so quickly but could have been much more transparent earlier on with those impacted. OnePlus will be getting in touch with the affected users soon to ensure they can claim their credit monitoring service.
We have contacted potentially affected users via email.
OnePlus is now working with local authorities to get the to bottom on the data breach.
Going forward, the OEM wants to avoid similar attacks by implementing a more secure credit card payment method, as well as conducting an in-depth security audit. Companies need to remember that bad actors are well-trained individuals who will use any opportunity to steal data.