Malicious script sniffed out credit card information for two months

Chinese smartphone vendor OnePlus has confirmed it has fallen victim to a hack that may have led to the payment card details of up to 40,000 people being compromised.

News of a potential data breach surfaced last week, when Shenzhen-based OnePlus announced it was temporarily disabling payments through its retail site, as the company investigated reports of “unknown credit card transactions”.

In a statement posted to its community forum on Friday, OnePlus said it had discovered a malicious script that had been injected into the payment page code to sniff out credit card information while it was being entered.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40,000 users at may be affected by the incident,” the company said. “We have sent out an email to all possibly affected users.”

“The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.”

According to OnePlus, users who entered their payment details into the vendor’s site between mid-November 2017 and January 11, 2018, may be affected by the breach, which included the loss of credit card numbers, expiry dates, and security codes.

While some forum members praised the company for its swift response to the situation, the breach notification thread quickly filled up with users saying they received no warning email, and others indicating fraudulent transactions:

OnePlus said it was working with its current payment providers to implement a “more secure transaction method”.

In the meantime, the manufacturer urged potentially impacted users to check their card statements for unauthorized charges.