• OnePlus has confirmed that as many as 40,000 customers may have been affected by a security breach.
  • Sensitive banking information including credit card numbers, expiry dates, and security codes may have been compromised.
  • “We cannot apologize enough for letting something like this happen,” said OnePlus in a statement.

OnePlus has concluded its investigation into reports that some of its customers had been hit with fraudulent credit card activity… and it’s not good news for the Chinese company or a huge number of its customers.

In a statement posted on its official forums, OnePlus confirmed that as many as 40,000 users may have had their credit card information stolen due to a major security breach. OnePlus says it has now contacted all of the affected users directly and is working with “providers and local authorities to better address the incident”.

OnePlus shut down all credit card payments on its website after reports of account fraud began spreading on Reddit in recent weeks. However, the forum post confirms that the severity and scale of the problem is far larger than initially thought, as the breach may have affected anyone who input credit card information on OnePlus’ website from as far back as mid-November 2017 last year.

Editor's Pick

The resulting security audit discovered that one of OnePlus’ systems had been attacked by a malicious script that intermittently captured data from a user’s browser window. The infected server has since been quarantined, but it’s unclear how much damage the script did during the roughly two-month period, or how it evaded OnePlus’ security in the first place.

Credit card numbers, expiry dates, and security codes may have all been compromised, OnePlus says, although this should only impact users that entered new card information during the period in question. Payment cards already saved on the site and transactions via PayPal are thought to be unaffected.

OnePlus is recommending that all recent customers check their card statements and report any signs of possible fraudulent activity directly to their bank.

As well as promising that it will revise its payment system and conduct further security audits, OnePlus also took the opportunity to apologize for the entire scenario, stating:

“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”

While many of the responses on OnePlus’ official forums have praised the company for its honesty, it seems unlikely that the Shenzhen-based company’s reputation will come out of the situation unscathed. The ongoing absence of card payments from OnePlus’ website will already have a knock-on effect to the OEM’s bottom line just days after the company announced record sales figures for 2017 and boasted of “healthy profits”.

The bigger concern, however, is trust. OnePlus has spent years cultivating a dedicated customer base via online sales and support and has only recently started selling phones via carriers in select regions.

With co-founder and CEO Pete Lau again talking of lucrative deals with US carriers in recent weeks, news of a data breach could impact customer perception of the OnePlus brand. It could even raise alarm bells among potential partners, especially after the long-mooted Huawei-AT&T partnership collapsed in such spectacular fashion at CES 2018.