OnePlus admits that 40,000 customers were affected by credit card security breaches

Hacker group Hive-CM8

OnePlus announced that 40,000 customers have been affected by a security breach recently, causing the company to close credit card payments at online stores earlier this week. Third-party security agencies are currently investigating vulnerabilities that have led to customer credit card information being stolen when purchasing OnePlus products.

Although only credit card information was stolen and fraudulently purchased in the past week, OnePlus said that data-staging scripts have been running on one of the payment processing servers since mid-November. The script takes full credit card information, including card number, expiration date, and security code, directly from the client’s browser window. The company said it has identified the location of the attack and has found the entry point for the attacker, but the investigation is still ongoing.

It is not yet clear if the attack was done remotely, or if someone physically accessed the server to install the script. In a forum post detailing the findings, OnePlus said the script ran “intermittently” and the infected server was already isolated from the rest of the system. It also said that customers paying through credit cards that have saved information, credit cards processed through PayPal, or customers paying through PayPal accounts should not be affected.

A OnePlus spokesman said the 40,000 customers attacked accounted for only a small part of the total number of its customers. The company is lending a helping hand to affected customers and provides one-year free credit monitoring service. During the investigation, cooperation was also made with local authorities. Credit card payments will remain disabled in the OnePlus.net store until the survey is completed, and customers can purchase items through PayPal. OnePlus said it is working hard to implement safer credit card payment methods.

Last week OnePlus CEO Liu Pett told CNET it is exploring partnerships with US carriers, but one spokesman confirmed the security loophole will not change anything about OnePlus’s online sales strategy. The company currently has no plans to move its stores to Amazon or other e-commerce platforms.

Reference: theverge