[BreachExchange] Smartphone maker OnePlus hit by credit card security breach

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 19 20:03:42 EST 2018


In a letter to its customers, along with a post on its forums, OnePlus
apologised for the breach and stated that the card number, expiry date and
security code had all been compromised. The company said that the attacker
had managed to inject a malicious script on to the payment page code. The
company says it has been removed, but customers who entered information
into the site between mid-November 2017 and January 11, 2018 could be at

A spokeswoman for OnePlus said it would offer credit monitoring to everyone
who had been affected and would also set up a hotline that people could
call to get help resolving payment and card issues.

If you paid with an already-saved credit card on the OnePlus store during
that time, you "should not be affected". Also, OnePlus said that it had
contacted potentially affected users via email already. "We recommend that
you check your card statements and report any charges you don't recognize
to your bank", OnePlus said. The malicious script sent this data directly
from the customer's browser, and has since been eliminated, according to
the company.

It's unclear exactly when this attack took place and for how long OnePlus
has been sitting on the information, but it told customers that it
"launched an urgent investigation", as soon as it was made aware of the

Until the investigation is completed, credit card payments on the OnePlus
online store will be suspended, with customers urged to complete payments
via PayPal in the meantime.

An investigation into potential culprits is still ongoing, and while a
spokesperson insists only one server was affected, he was unable to confirm
whether the vulnerability existed in other company-owned servers as well.

"We can not apologise enough for letting something like this happen", wrote
OnePlus in its update. The Verge reports that the company is now working to
launch a more secure credit card payment processing system before it
re-enables standard payments, with hopes that this OnePlus credit card
breach never happens again.

Finally, OnePlus says that they are working with providers and local
authorities to "better address the incident".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180119/04ea8b36/attachment.html>

More information about the BreachExchange mailing list