Earlier this week, several people who had shopped at the OnePlus online store reported they were seeing fraudulent transactions on their credit cards. At the time, the company said it was investigating the claims “as a matter of urgency”. These investigations seemed to have thrown up some results as OnePlus that credit card details of “up to 40,000 users” may have been stolen thanks to malicious code injected onto its website.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” a OnePlus staff member wrote on the company’s online forums on Friday. “The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”
The company said that only users who entered credit card details afresh on the website “between mid-November 2017 and January 11, 2018” would potentially be impacted. If you paid using saved credit card details, or completed the payment using “Credit Card via PayPal”, or via PayPal directly, you should not be affected, the company added.
“We cannot apologise enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” the post said.
OnePlus added that it is contacting the potentially affected customers directly and it is “working with our providers and local authorities to better address the incident”.
If you’ve entered your card details on the OnePlus website between mid-November 2017 and 11 January 2018, it would probably be a good idea to request a fresh card from your bank, even if you haven’t seen any fraudulent activities on your card yet. If you see any charges on your statement that you don’t recognise, contact your bank and initiate a chargeback.