The email, posted by Peter Smallbone on Twitter, said: “As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems.”
Several customers also posted the same email on the company’s forums on Friday.
The company is “looking” to provide credit card monitoring for customers affected.
A malicious script was inserted on the company’s pages, capturing and sending data directly from the user’s browser. The script, now removed, is said to have “operated intermittently.”
The company said customers who entered their credit card details on the company’s site between mid-November and January 11 may be affected. The company said that may include “up to 40,000” customers.
Anyone who paid with PayPal aren’t affected, neither are those who paid with a previously saved credit card on file.
A OnePlus spokesperson did not comment beyond the company’s statement.
Reports of credit card fraud started popping up over the weekend. On Thursday, the company said it was looking into a “serious issue” and “as a precaution, we are temporarily disabling credit card payments” on its site.
The cause of the breach is not immediately known. We’ll update when we know more.