Shenzhen, China-based smartphone maker OnePlus has confirmed that up to 40,000 customers were affected by a compromise of its website that allowed attackers to steal credit card details as they were being entered into browsers.
OnePlus disabled credit card purchases on oneplus.net last week when customers reported seeing card transactions they didn’t recognise after having made purchases on the site.
The company said card details are not processed or stored on its site, being sent over an encrypted connection directly to a third-party payment services provider.
But the hackers injected code into oneplus.net that recorded card information, the company said.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” OnePlus said in a statement.
The script operated intermittently over a period from mid-November 2017 to 11 January 2018, affecting those who entered card details for the first time.
Those who used saved card information or third-party methods such as PayPal weren’t affected.
OnePlus said it has isolated the system involved and is working with its payment provider on a more secure system.
A OnePlus spokesperson said the 40,000 users “represent a small subset” of the company’s total customer base. The company said it’s offering customers a year of free credit monitoring and is working with law enforcement authorities to investigate the hack.
All those potentially affected have been notified via email, OnePlus said, urging customers to be on the lookout for suspicious card transactions.
“We cannot apologize enough for letting something like this happen,” the company stated.
OnePlus sells through carriers such as O2 in the UK, but also offers handsets, accessories and other items directly to all its markets over oneplus.net.
The firm has sold its products in all European countries except Switzerland since 2014.
Do you know all about security? Try our quiz!
Petrol distribution network in Iran has reportedly been paralysed after a cyberattack, which some officials…