OnePlus hacked as customers are warned of a serious breach

OnePlus, the Chinese smartphone brand that asks you to “never settle” has admitted it’s faced a widespread credit card hack. In a letter to its customers, along with a post on its forums, OnePlus apologised for the breach and stated that the card number, expiry date and security code had all been compromised.

It’s unclear exactly when this attack took place and for how long OnePlus has been sitting on the information, but it told customers that it “launched an urgent investigation,” as soon as it was made aware of the attack. It also “suspended credit card payments” and has “been working with a cybersecurity firm to reinforce [its] systems”.

OnePlus recommends that every customer checks their card statements and reports any unrecognisable charges. It also stated that “if you run into any problems, or need further guidance, don’t hesitate to reach out”.

OnePlus says that the hack occurred thanks to a malicious script inserted into the OnePlus.net payment page code. This allowed hackers to see the customer’s credit card numbers, expiration dates and security codes – essentially all the information needed to use a card for a fraudulent payment.

On the surface, the hack seems reminiscent of the session replay scripts that shook the internet back in November.

Currently, OnePlus is uncertain of just how many customers have been affected. They’ve managed to track down the code’s insertion to sometime in mid-November, just before the OnePlus 5T launch. There are a potential 40,000 affected customers but all those who had saved their credit card info into OnePlus’ systems before mid-November won’t be affected, nor were PayPal customers.

As an apology, OnePlus says it’s looking for “a suitable way to offer one year’s credit monitoring to affected users”. This should mean that any abnormal or fraudulent payments on your credit card will be pinged to you as soon as they happen. OnePlus will be getting in touch with the affected users soon to ensure they can claim their credit monitoring service.

As with all of these incidents, your best course of action is to cancel all credit or debit cards you believe may have been compromised. Also, reach out to your bank and make sure that they’re aware of the breach and can provide monitoring services just in case.

You can read the full letter to affected customers below, posted by Peter Smallbone on Twitter.

If you’ve ever bought a phone from @oneplus, I suggest you cut up your credit card. Mine’s been used to buy a few hundred quid’s worth of stuff #creditcardfraud