OnePlus Was Hacked And Up To 40,000 Customers Had Credit Card Info Stolen / @byenes
Bought a OnePlus smartphone in recent months? You might want to check your bank account. The Chinese manufacturer admitted Friday it had been breached back in November and that as many as 40,000 of its customers could've had their credit card information stolen.The news came after a week in which hundreds of customers reported fraud on their accounts after paying over the OnePlus website. U.K.-based cybersecurity company Fidus Information Security then detailed some security failings on the site. After an investigation and a temporary block enforced on credit card payments, OnePlus determined hackers had broken into its website server and installed malicious JavaScript code that would grab credit card data once it was entered.Customers were informed Friday morning via email, which explained credit card numbers, expiry dates and security codes were all pilfered from customers who were entering their data into the oneplus.net website from mid-November through to January 11. That's all the information anyone needs to start raiding bank accounts. Anyone who had saved credit card information or used PayPal shouldn't have have been affected, the company said.
OnePlus is offering free credit monitoring to affected customers. It's also informing law enforcement and data protection authorities across its operating regions. It's also promised to improve its security.Fidus hacker and founder Andrew Mabbitt told Forbes OnePlus were "100% at fault here." "The only way the loss of credit cards could have occurred was through a breach of the OnePlus website and the use of malicious JavaScript. They should have been redirecting to the payment processors own payment page as that environment will be fully PCI [Payment Card Industry] compliant," he said. The PCI Security Standards Council sets minimum bars to reach for payment processors in protecting data.
"They've also neglected to mention that names and addresses would've been stolen, as all the data from the first page of the checkout gets submitted in the same request," Mabbitt added. OnePlus hadn't commented on address or name information theft at the time of publication.In a forum post today, OnePlus added: "We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down."We are working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future."