OnePlus, the smartphone manufacturer behind a popular line of Android phones, has reported a credit card breach affecting up to 40,000 users at oneplus.net. Customers who entered their credit card data on the website between mid-November 2017 and January 11, 2018 could be at risk.

oneplus-5-back-1500x1000.jpg

The announcement of the data breach followed numerous reports from customers over the weekend of January 13, 2018 related to fraudulent charges appearing on their accounts. The company immediately launched an investigation and learned one of its systems was attacked. A malicious script was injected into the payment page code to steal credit card information as it was being entered.

The company suspended credit card payments following the discovery and announced they will remain suspended on the OnePlus.net store until the investigation is complete, with customers able to purchase items through PayPal in the meantime. OnePlus says it is working to implement a more secure credit card payment method before it re-enables them.

In a letter to impacted customers OnePlus apologized for the incident, warning them that their credit card number, expiration date, and security code was likely compromised.

“As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems,” the letter says in part.

“We recommend that you check your card statements and report any charges you don’t recognize to your bank. They will help you initiate a chargeback and prevent any financial loss. If you run into any problems, or need further guidance, don’t hesitate to reach out to us.”

The letter also stated that affected customers will get one year of credit monitoring, however at the time the letter was sent, the exact details of that monitoring was unavailable.

The malicious script has been eliminated, the infected server quarantined, and all relevant system structures reinforced. Users who paid using a saved credit card, the "Credit Card via PayPal" option, or PayPal should not be affected. 

OnePlus has stressed the point that they don’t store credit card details and that such information “is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.”

However, as proven, this measure doesn’t prevent all possible methods of attack, given that the script simply harvested details as they were submitted.

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” the company said.

OnePlus’s devices have often been dubbed “iPhone killers” for their combination of looks, functionality and price.

Though the devices continue to surge in popularity, this breach comes at an inopportune time for the company, as OnePlus has recently been involved in a string of bad publicity.

In November, a security researcher revealed that OnePlus had left a debugging tool on its phones that could give attackers root access to the devices. Security researcher Christopher Moore found in October that OnePlus was collecting large amounts of personally identifiable usage data without user consent. And in July, a software bug in the OnePlus 5 rebooted the phone when users made an emergency call.

"This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation," says Chris Morales, head of security analytics at Vectra.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.