OnePlus has confirmed that up to 40,000 customers have been affected by a credit card breach, in the latest embarrassing misstep for the Chinese handset maker.
The news comes several days after OnePlus shut down credit card processing following complaints from customers about fraudulent charges landing on their cards after they bought products through OnePlus’s online store.
OnePlus offered an explanation of what had happened on its website.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” the company said. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”
The affected users entered their card information on OnePlus’s store between mid-November and January. Customers who made purchases with a saved card “should not” be affected, OnePlus said. The same goes for ones who paid with PayPal or credit card via PayPal. Affected users will be offered a year of credit monitoring.
“We cannot apologize enough for letting something like this happen,” the company said. “We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”
OnePlus’s investigation is continuing and it is working with local law enforcement. Perhaps more importantly to current and prospective customers, it is conducting a security audit and “working to implement a more secure credit card payment method.”
Some customers expressed unhappiness and concern over the data breach on Twitter.
— Peter Smallbone (@PeterSmallbone) January 19, 2018
yeah if you gave OnePlus your CC info in the last two months, just CANCEL THE CARD. Checking your statement doesn't do anything. https://t.co/hvt79C4iHw
— David Ruddock (@RDR0b11) January 19, 2018
OnePlus’s devices have often been dubbed “iPhone killers” for their combination of looks, functionality and price.
Credit card breaches are an unfortunate fact of modern life, but OnePlus was already riding a regularly cresting wave of bad publicity that has clashed with its devices’ popularity.
In November, a security researcher revealed that OnePlus had left a debugging tool on its phones that could give attackers root access to the devices. Security researcher Christopher Moore found in October that OnePlus was collecting large amounts of personally identifiable usage data without user consent. And in July, a software bug in the OnePlus 5 rebooted the phone when users made an emergency call.