OnePlus website hacked; credit card data of 40,000 users stolen

If you are a OnePlus customer and bought their products through their website between mid-November 2017 and January 11, 2018, chances are that your credit card data has been stolen.

OnePlus, the Chinese smartphone manufacturer has acknowledged that its website was hacked and breached by hackers who stole credit card data belonging to around 40,000 customers.

Background

On January 15th, 2017, HackRead published an in-depth report on OnePlus customers complaining about credit card fraud and claiming that their cards had been used to make purchases without their knowledge and permission after shopping through the OnePlus website (OnePlus.net) between October and December 2017.

In reply, OnePlus had denied that their checkout page was hacked or breached. However, according to Fidus InfoSecurity Limited, a British cybersecurity agency, OnePlus checkout was using Magento eCommerce platform that was in the news lately for containing a critical bug that could be exploited to take over any website. Remember, the same bug was used by a Coinhive user to hack BlackBerry mobile website and place Monero cryptocurrency mining code.

Furthermore, Fidus pointed out several loopholes in the OnePlus website and concluded that there is a chance OnePlus website could be compromised by placing Javascript and modifying the Cc.php file which requires shell access to the server and indicates a serious compromise.

OnePlus admits it suffered data breach

Earlier today (January 19th, 2017), according to the official forum post by OnePlus’ staff member Mingyu it has been acknowledged that the company did suffer a hack attack in which hackers infected a malicious script into the company’s payment page code and siphoned out credit card data.

One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card information from customers who were entering the data on OnePlus.net. However, OnePlus maintains that customers who used saved credit cards or paid via the “Credit Card via PayPal” and those who bought OnePlus products via PayPal should not be affected.

OnePlus also sent emails to potentially affected customers informing that their credit card data including card numbers, expiry date, and security codes were stolen between mid-November 2017 and January 11, 2018. Moreover, the company has contacted law enforcement authorities in regions it operates in and offered free credit monitoring to affected customers.

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down.”

“We are working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future,” said Mingyu.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.