"Shot on OnePlus" refers to OnePlus's photos app where OnePlus users can upload photos to be used as wallpapers each day. Photos only come across as daily wallpapers if OnePlus selects them. In order to upload photos within the app, users also have to create a profile that includes sensitive information such as their name, country, and email address. Well, it is in this area of the app that email addresses were leaked from the API that connects the server to the website.
The "gid," the ID OnePlus uses to find the photos of any user, can also be used to access the same sensitive information as mentioned above. There was little security to prevent anyone from obtaining this information. With no encryption of such sensitive data, anyone could retrieve any number of email addresses, real names, and even residence locations from the API with little effort. One could also find more users by going through random gid numbers.
9to5google says that it contacted OnePlus and didn't receive a response, but that OnePlus has "added a bit more security to some parts of the API" such that they now hide email addresses with asterisks. There is still a flaw to the current gid setup because the API can still be bypassed, but the company is more intentional about protecting user data than before. For OnePlus to fix this issue secretly shows that, true to 9to5google's word, it was a real gid flaw leaking sensitive information it didn't need to.
There's no official word on how long OnePlus's "Shot on OnePlus" wallpapers app leaked email addresses, but unfortunately, OnePlus isn't alone. Instagram has been leaking contact information for months, between October 2018 and March 2019. The Instagram contact leak was reported by Indian marketing company Chtrbox in February, with Instagram patching the issue in March. The Facebook-owned company made an announcement last month, two months after it patched the five-month contact leak.
In December 2017, GearBest user logins were leaked online, with the hacked information published at online repository site "pastebin." Even email addresses were leaked at GearBest, and the company, when doing its best to freeze affected accounts, recommended that affected users retrieve a unique email address that hadn't been used at GearBest to login.
Genealogy service provider MyHeritage reported a massive breach in mid-2018 where 92.28 million users' email addresses and passwords to the site were exposed.
In an age where information is all too widely available on the internet, personal information can be exposed. It goes to show that companies must do more to protect their users, not just gain users and profit from them. After all, customers place their information into the hands of businesses, expecting that businesses will look out for them. When leaked email addresses and other information make their way onto the internet and companies report breaches, it's an all too apparent reminder that users, for all the promises companies make, must have vigilance in where and how they share their information. There must be greater corporate responsibility with user-sensitive data.