Credit card information of up to 40,000 OnePlus customers has been compromised, the Chinese phone maker said Friday as part of an update into its internal investigation initiated after some owners of its products started reporting credit card fraud. The Shenzhen, Guangdong-based company is now reaching out to all customers it believes may have been affected by the hack it suffered and will notify them of the development via email. It's currently unclear how long that effort will take but all potentially compromised users are likely to be alerted to the issue by the end of the week.
The attack was conducted via a "malicious script" inserted into the page which accepts credit card information and sends it to the firm's payments partner, as suggested by OnePlus. The short interval during which the page sends sensitive information before the cloud partner encrypts it likely provided the necessary opportunity for the attackers to steal the data. OnePlus says the script has been eliminated after detection and the infected server was quarantined, whereas the rest of its infrastructure has been strengthened in an unspecified manner. Anyone who entered their credit card info into the company's website between mid-November and January 11th may have had their credit card info stolen, OnePlus said. Anyone else who purchased products from the company using PayPal or saved credit card info entered outside of the aforementioned period isn't affected. While the latter scenario also involves making a direct credit card charge, the actual data it pulls is encrypted and the manner in which it's used cannot be compromised by the newly discovered script.
OnePlus said it "pains" it to let its customers down and thanked those who were "vigilant" enough to suspect foul play with their credit card statements and notify the community about it. All potentially affected customers should contact their banks, check their transaction histories, and report any charges they don't recognize, OnePlus advised. The company is still in the process of investigating the hack whose authors remain unknown. Its near-term plans involve the release of the OnePlus 6 and OnePlus 6T later this year, as well as exploring the possibility of a retail partnership with at least one U.S. wireless carrier.