Just four days after starting an investigation of a scary possible credit card security breach, and three days on the heels of a precautionary disabling of said payment method on its official website and main e-store, OnePlus is ready to share the probe’s preliminary findings.
Unfortunately, reports of the hack have not been greatly exaggerated, and in fact, one of the Chinese company’s “systems” was attacked months rather than days or weeks ago. “Up to 40k users” who “entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018” may be “affected” by the “incident”, with their credit card numbers, expiry dates and security codes all at risk of being compromised.
Now, 40,000 people certainly sounds like a big number, and in this day and age, it’s higher than the figure of online customers who should fear for their e-safety by 40,000. But if the “malicious script” was indeed “injected into the payment page code to sniff out credit card info while it was being entered” way back in November, you may want to look on the bright side. Hundreds of thousands of shoppers, maybe even millions, could have been affected if the malware had spread to the entire payment system.
The good news is those who paid for OnePlus phones and accessories during the aforementioned at-risk period via PayPal, a saved credit card or the “Credit Card via PayPal” method should have nothing to worry about. Everyone else may want to verify their recent card statements and report any suspicious charges to their bank. Especially folks who’ve received email notifications from OnePlus letting them know of this delicate and embarrassing situation.
Going forward, the OEM wants to avoid similar attacks by implementing a more secure credit card payment method, as well as conducting an in-depth security audit. For the time being, credit card payments remain disabled, the infected server is quarantined, and “all relevant system structures” are “reinforced.”