NEW DELHI: Responding to reports of an alleged credit card data breach, OnePlus confirmed that nearly 40,000 customers were affected by the cyber attack.
“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” said OnePlus on its forum.
What’s the issue?
Reports from an ongoing investigation with a third-party security agency into the breach revealed that as customers were purchasing OnePlus products, credit card information was reported to be stolen, leading the company to shut down credit card payments for its online store.
A report that appeared on The Verge, while quoting OnePlus, said the script that stole the data had been running on one of its payment processing servers since mid-November, although reports of data breach surfaced only in the past week.
It is said that the script was able to capture full credit card information, including card numbers, expiry dates, and security codes directly from a customer’s browser window.
Further, the article noted that the company has determined where the exploit happened and has found the point of entry for the attacker, but the investigation remains ongoing.
“It’s not yet clear if the attack was done remotely, or if someone had physical access to the server to install the script.”
Who has been affected?
While nearly 40,000 people remain affected, this, the company says, is a “small subset” of its customer base, and is reaching out to its vast expanse to secure their data. It is reportedly offering a year of credit monitoring service for free.
Meanwhile, credit card payments will remain suspended on the OnePlus.net store until the investigation is complete. Furthermore, the company assured that it is working to create and implement a more robust and secure payment method.
“Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected. Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised. Users who paid via a saved credit card should NOT be affected. Users who paid via the “Credit Card via PayPal” method should NOT be affected. Users who paid via PayPal should NOT be affected,” added the company on its forum.
What should customers do?
Customers should check their credit card statements and immediately report any transaction that you don’t recognize. Customers can reach out to the company on their support page or write an email to security@oneplus.net.