OnePlus got pwned, exposed up to 40,000 users to credit card fraud

Ars Technica 2018-01-19

Enlarge / If you bought directly from OnePlus in the last two months or so, double-check your credit statements.

Earlier this week, numerous reports of credit card fraud started pouring in from OnePlus users. On the company's forums, customers said that credit cards used to purchase a OnePlus smartphone recently were also seeing bogus charges, so OnePlus launched an investigation into the reports. It's now a few days later, and the company has admitted that its servers were compromised—"up to 40k users" may have had their credit card data stolen.

OnePlus has posted an FAQ on the incident. "One of our systems was attacked," the post reads. "A malicious script was injected into the payment page code to sniff out credit card info while it was being entered." OnePlus believes the script was functional from "mid-November 2017" to January 11, 2018, and it captured credit card numbers, expiration dates, and security codes that were typed into the site during that time. Users that paid via PayPal or a previously-entered credit card information are not believed to be affected.

OnePlus says it "cannot apologize enough for letting something like this happen." The company is contacting accounts it believes to have been affect via email, and OnePlus says it is "working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit."

Read on Ars Technica | Comments