OnePlus today confirmed thieves siphoned tens of thousands of people's credit card numbers from its online store.
Crooks were quick to start plundering victims' accounts using the swiped information, going on shopping sprees with the stolen card data.
Here's how it went down: one of the store's servers was hacked, and its code modified so that between mid-November, 2017, and January 11 this year, bank card details typed into oneplus.net by shoppers were copied and sent over to miscreants.
Specifically, the software was tampered with to harvest the numbers, names, and security codes on cards before they were encrypted and sent to OnePlus's payment processor. The server has since been quarantined, and the malicious code removed.
OnePlus said people who opted to use PayPal were not affected, nor was anyone who had paid with a credit card they had "saved" to the site before November 11, because those cards had been encrypted by the payment provider and saved only as tokens by OnePlus.
OnePlus has sent out emails alerting punters whose information was handed over to hackers, and said it is "looking for a suitable way" to give the affected shoppers a free year of credit monitoring. Needless to say, anyone who gets one of these messages would be well advised to have their card cancelled and replaced.
Here's what was mailed to customers earlier today:
We are deeply sorry to inform you that following an attack on our systems, your credit card data may have been compromised. This data includes the card number, expiry date and security code that you entered at oneplus.net.
As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems.
We recommend that you check your card statements and report any charges you don't recognize to your bank. They will help you initiate a chargeback and prevent any financial loss. If you run into any problems, or need further guidance, don't hesitate to reach out to us.
Meanwhile, we are looking for a suitable way to offer one year's credit monitoring to affected users. Credit monitoring is a service that alerts you to any abnormal or fraudulent use of your credit card. We will be in touch over email with details on how to claim your credit monitoring.
Once again, we cannot apologize enough for this incident and the trouble it may have caused you. We have informed the relevant authorities to monitor your card status, and will take measures to ensure this never happens again. If you have any questions, our customer support team is available at firstname.lastname@example.org.
Our deepest apologies,
The OnePlus Team
The investigation began at the weekend after folks on the OnePlus forums complained about unauthorized charges on their cards occurring after they had made a purchase on OnePlus.net.
"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus staff explained to customers on its forums.
"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.
"We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down."
Critics may note that OnePlus has previously given indications of playing fast and loose with computer security. The mobe maker was found last year to have shipped handsets with factory diagnostic backdoors left active and, just days before this investigation was kicked off, OnePlus admitted it had accidentally gave some international customers a China-exclusive app that relayed clipboard-related data back to Alibaba servers. ®