Chinese smartphone manufacturer OnePlus has disclosed that up to 40,000 customers may have been affected by a recent compromise of the company’s checkout process.
The attack was accomplished by implanting a rogue script into the company’s payment page code on oneplus.net. The script was intended to harvest credit card details while they were being entered by customers, according to the company’s statement.
“The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated,” reads the statement.
The breach put at risk ‘only’ the customers who entered their payment data on oneplus.net between the middle of November 2017 and January 11, 2018. Those who paid with previously saved credit card details or via PayPal are believed to be out of harm’s way.
OnePlus also said that it has “quarantined the infected server and reinforced all relevant system structures”. It has also notified the customers whose payment details – credit card numbers, expiry dates and security codes – may have been compromised.
“We cannot apologize enough for letting something like this happen,” continued the statement.
OnePlus launched its probe halfway into January after a number of users who had made purchases on on their website later discovered unauthorized activity on their cards, prompting them to report it to OnePlus. Last Tuesday, the company took the precaution of suspending card payments on the site while it was looking into the issue, to use its own words, “around the clock”.
The beginning of the hack in mid-November roughly coincided with the launch of the company’s new flagship smartphone model, OnePlus 5T. The disclosure of the breach comes a few days after the company’s CEO Pete Lau confirmed plans to boost the manufacturer’s presence on the US market by seeking partnership with a mobile carrier.
Author Tomáš Foltýn, ESET