Chinese smartphone manufacturer OnePlus has disclosed that up to 40,000 customers may have been affected by a recent compromise of the company’s checkout process.
The attack was accomplished by implanting a rogue script into the company's payment page code on oneplus.net. The script was intended to harvest credit card details while they were being entered by customers, according to the company’s statement.
“The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated,” reads the statement.
The breach put at risk ‘only’ the customers who entered their payment data on oneplus.net between the middle of November 2017 and January 11, 2018. Those who paid with previously saved credit card details or via PayPal are believed to be out of harm's way.
OnePlus also said that it has “quarantined the infected server and reinforced all relevant system structures”. It has also notified the customers whose payment details – credit card numbers, expiry dates and security codes – may have been compromised.
"We cannot apologize enough for letting something like this happen," continued the statement.
OnePlus launched its probe halfway into January after a number of users who had made purchases on on their website later discovered unauthorized activity on their cards, prompting them to report it to OnePlus. Last Tuesday, the company took the precaution of suspending card payments on the site while it was looking into the issue, to use its own words, “around the clock”.
The beginning of the hack in mid-November roughly coincided with the launch of the company’s new flagship smartphone model, OnePlus 5T. Back then, the company was also in the limelight for an apparent gaffe that consisted in pre-installing backdoor on its devices. In October, the company came under fire for collecting, sub rosa, inordinate amounts of data from the devices of its customers.