An attack on OnePlus.net may have affected up to 40,000 users, who the company has notified by email.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,” according to a company post to its user forum.
The malicious script, which has been eliminated, “operated intermittently, capturing and sending data directly from the user’s browser,” the update said, adding that the company has “quarantined the infected server and reinforced all relevant system structures.”
Chris Morales, Vectra’s head of security analytics, said he was “impressed with the meticulousness and expediency OnePlus is taking in providing customers with notification of the breach,” which he called a departure from “how major companies tend to act.”
The breach seems to be similar to those at other retailers. “A piece of code is designed to monitor and collect credit card information,” said Morales. “This is what happened at Target, except that it was local on the POS terminal.”
He called the incident, which was reported by forum user @superdutynick, “a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation.”
Users whose credit card numbers, expiration dates and security codes may have been compromised were those that entered credit card data on oneplus.net any time between mid-November 2017 and January 11. OnePlus stressed that users paying with a saved credit card, “Credit Card via PayPal” or PayPal “should NOT be affected.”
The company urged customers to tag any charges on their credit card statements that seem suspicious and contact their banks for a chargeback. Questions were referred to the OnePlus support team at https://oneplus.net/support.
OnePlus also asked users to report any potential system vulnerabilities to firstname.lastname@example.org.