Users of the Shenzhen-based Chinese smartphone manufacturer OnePlus are on high alert after the company confirmed that their credit card data had been stolen. The breach affects, using a conservative estimate, 40,000 users of the company’s Android devices. The breach caused a large investigation to be launched and at this moment OnePlus is still working with local law enforcement to find the culprit or culprits responsible.
On their website forums, OnePlus gave an official statement that explained just what occurred. The attack is described as follows according to the statement:
One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.
The statement then goes on to list potential victims, which are individuals who used OnePlus’ payment function between the large time frame of November 2017 to January 2018. This does not reflect well on the company as it took a while to discover the breach, something that makes OnePlus customers likely wonder what other data is at risk.
OnePlus tried its best to reassure their users with the following component of their official incident statement:
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.
Whether this is “too little, too late” remains to be seen. OnePlus has had well-publicized security issues before, so this incident could not have come at a worse time.
Photo credit: OnePlus