OnePlus has been hacked. This was confirmed by the company after announcing a few days ago that it was investigating the possible theft of bank data of its users who had purchased on its website. On January 16 they removed the possibility of paying by card, and today they confirmed all the details of the hack.
40,000 affected users
The company, which claims to be sorry for the event, has confirmed that some 40,000 users have been affected by the theft of data when buying on the oneplus.net website. All potentially affected users will receive an email from the company today informing them of the possible dangers they face.
What happened was that one of the OnePlus systems was attacked, and in it, a malicious script was implemented to obtain the data that was inserted on the payment page of the web. We remember that the data was not conveniently treated on the web, so that between entering the box and sending it to the web that managed the payment was stored in an insecure way on its website, not complying with the standards secure payment.
The malicious script captured the data that the user entered (as a keylogger) and sent them to a remote server. The company has confirmed that this script has already been removed from the web, and have isolated the affected server while reinforcing the entire security infrastructure.
Affected users are those who entered the credit card data between November 2017 and January 11, 2018. Among the stolen data are the credit card number, expiration date and security codes that were entered on the web.
If you paid with PayPal, you are safe
If the user had entered the bank details before mid-November and made a purchase between the period described above, the data was not stolen because it was already in the hands of the third-party payment manager. Users who paid with PayPal or with a credit card through PayPal are also not affected.
In case you have doubts, it is best that you cancel your card and verify the charges that you have received and that you do not recognize. As soon as you receive them, you must tell the bank to cancel them or even resort to credit card insurance. In case you have any questions you can contact the OnePlus technical service. If you find more security problems, the company asks that you send them to firstname.lastname@example.org.
For now, the company continues to apologize to this incident and is in contact with affected customers. They are also working with the authorities to address the incident and are talking to their payment provider to implement a more secure payment system, along with a comprehensive security audit to prevent this problem in the future. What the company has not said that it is going to do is compensate the affected users (some gift like a cover, for example), which would not be bad to recover the confidence in them.