There were reports by several users on OnePlus forums that they doubt their credit cards were being charged without their knowledge; some Reddit users mentioned that they noticed their cards being used on betting websites. A week later, the company confirmed that the users who purchased phones through their website between the middle of November 2017 and January 2018. 11 have been victims of a credit card information leak.
It seems they did not take care of the basic precautionary measures. The one plus site was hosting the payment page that accepts the users’ payment details on their own site – which is a flawed design by itself since OnePlus is not PCI compliant (Payment Card Industry). If attackers are somehow able to inject malicious code into the website, the users’ data will be at risk. Ideally, all the payment flow should happen through a third-party payment gateway which takes care of everything – from accepting the user input to encrypting the information securely and then processing the payment.
In their statement, the company stated the users who had used PayPal or saved their credit card information before November should not have been affected. The company has since disabled credit card payment option on their website and claims to have quarantined the affected server.
Here is the complete statement from OnePlus:
We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.
1. What happened
One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
- The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.
- We have quarantined the infected server and reinforced all relevant system structures.
2. Who’s affected
- Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
- Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
- Users who paid via a saved credit card should NOT be affected.
- Users who paid via the “Credit Card via PayPal” method should NOT be affected.
- Users who paid via PayPal should NOT be affected.
- We have contacted potentially affected users via email.
3. What you can do
- We recommend that you check your card statements and report any charges you don’t recognize to your bank. They will help you initiate a chargeback and prevent any financial loss.
- For enquiries, please get in touch with our support team at https://oneplus.net/support.
- If you notice any potential system vulnerabilities, please report them to email@example.com. This is a monitored inbox, but please note, we may not be able to respond to all reports.
4. What we are doing
We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.
A big thank you to our forum user @superdutynick for bringing this incident to our attention!
The OnePlus Team
As a mobile giant that is dealing with millions of users’ confidential data, they should conduct periodic, in-depth security audits, penetration testing and monitoring. Payment processing should be completely dealt with a reliable third-party service that does their job well. That way, even if the attackers are able to breach the company website, the damage would be minimized.