Up to 40,000 OnePlus customers may have been impacted after attackers managed to compromise the company’s payment page.
In a Friday post on the OnePlus forums, the Chinese smartphone company confirmed the attack and also revealed that the attackers managed to inject rogue code into its payment page, allowing them to steali credit card information enteredin by users.
The company launched an investigation last week, after some of its users started complaining about fraudulent transactions occurring on their credit cards following purchases made on oneplus.net.
“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” a company’s employee said in a forum post.
The malicious script, the employee revealed, was designed to capture and send data directly from the user’s browser. The script has been removed, the compromised server quarantined, and relevant system structures have been reinforced, the company says.
All OnePlus users who entered credit card information on the oneplus.net website between mid-November 2017 and January 11, 2018, may be impacted by the breach. The hack happened around the same time OnePlus 5T, the latest flagship smartphone from the Chinese maker, was launched.
Immediately after being alerted on the incident, the company also suspended credit card payments on its website, but continued to support PayPal payments.
The malicious code injected in the payment page was designed to steal credit card information such as card numbers, expiry dates, and security codes that the users would enter on the website during the compromise period.
According to OnePlus, the incident didn’t impact users who paid via a saved credit card. Users who paid via the “Credit Card via PayPal” method and those who used PayPal to pay should not be affected either.
“We cannot apologize enough for letting something like this happen. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit,” the OnePlus employee said.
Not only should enterprises assume they have been or will be breached, but also should savvy consumers assume their financial data is bound to be compromised, Tyler Moffitt, Senior Threat Research Analyst, Webroot, pointed out in an emailed statement to SecurityWeek. Thus, Moffitt encourages users to take steps to be warned when unauthorized transactions occur on their accounts.
“Additionally, when online shopping, it is inherently more secure for consumers to use their PayPal accounts than enter their credit card data upon checkout – it is best practice to enter credit card information as rarely as possible. Most merchants have PayPal, Masterpass or Visa Checkout options available, which are more secure payment protocol alternatives,” Moffitt concluded.