Things just went from bad to worse real quick.
On Monday, January 15, OnePlus announced on its forums that some customers had reported fraudulent activity on credit and debit cards used for purchases on oneplus.net. It was unclear at the time how many people had been affected or what caused this in the first place, and just a day later, OnePlus removed the option to make payments with a credit/debit card from its site.
A few days later on January 19, OnePlus issued another update on its forums to confirm that this fraudulent activity was a result of a security breach that affected up to 40,000 users.
How in the world did this happen? According to OnePlus, a malicious script was added to the payment code of its site and sniffed out credit/debit card information as customers entered it. The script has since been eliminated, but it was active between mid-November of 2017 and January 11, 2018.
Thankfully, there are some caveats in regards to who's been affected. Per OnePlus:
- Users who paid via a saved credit card should NOT be affected
- Users who paid via the "Credit Card via PayPal" method should NOT be affected
- Users who paid via PayPal should NOT be affected
OnePlus says that it's in contact with customers that have fallen victim to this attack and that it's working with its payment processor and providers to ensure that something like this doesn't happen again. If you're unsure whether or not your card information has been compromised, keep an eye on your transaction history to confirm that any payments being made are ones you've authorized. If you want to be extra precautious (which we almost encourage in a case like this), it's not a bad idea to contact your bank, cancel your current card, and get a new one.
Even though I already asked you this question, does this new information impact your decision to do business with OnePlus in the future?
Reader comments
From back doors to benchmark cheating and now credit card sniffing. Can somebody class action them now?
No, I don't see that happening, considering it was an error and it's quickly being audited and corrected.
Is the writing on the wall yet?
Not bad only 40K
That's probably all their users...
Considering they made $1.5 billion last year and god knows how many OnePlus One's, 2's, 3's, 3T's, 5's and 5T's have been sold in total, I don't think 40K is their entire userbase.
Change your credit card numbers yearly folks.
I don't see the point in doing this. When they get your number, they're likely to use it fairly quickly. I've got a credit card number that I've had for like 10 years and I've never had a problem. When I see fraudulent activity, then I'll change it.
LOL, or just be vigilant. If you bank with a bank that doesn't protect you, then you already lose. A lot can happen in a year. Why not every month, or every week? Swipe your card at the gas pump that has a skimmer can happen in a blink. You really want to protect yourself, pay with cash.
That's dumb advice. I had a new card number stolen within 4 weeks of getting a new one after a previous breach. The first breach was a national retailer's fault. The second one happened in the LAX airport somehow. The real key is to stay on top of your charges. I have mine set to send me an alert if it detects a charge over $100. That way, if someone goes on a Coach bag buying spree, I'll know about it and can cancel the card quickly.
That is an awful solution
(Waits for comments blaming the Chinese government for spying and stealing through phones manufactured in their country)
You do have to wonder who actually injected the malicious code into their site.
It almost certainly was NOT the Chinese government lol.
Most likely a disgruntled employee! Or just an opportunistic hacker.
You thought that too I see
I really wanted the 5T, and was so close to buying one a few weeks back; but decided on another phone. I'm really relieved I didn't purchase from the site; though it's still awful, as OnePlus makes great phones and this will certainly put a damper on its products and the site - and on customer support/site security. Hopefully things get rectified soon and these users will have their minds put at ease.
I was one of the 40k impacted. I saw a fraudulent purchase on my card and had to cancel it yesterday. Waiting for my new one now. It's not too much of a hassle but I will only use PayPal going forward. It's just that Google makes it so easy to enter credit card details with a saved card that an extra login to PayPal seems like an unnecessary step. Lesson learnt.
Good that they found the root cause. This could happen to any credit card entry page. Warning for small sites that want to throw in e-commerce without it being a core competency. Big win for services like paypal.
The fact that they're dealing with this as quick as possible is a "plus" for them... They didn't hide anything or waited to say anything about it *cough, APPLE*
I find it amusing the "haters" of various makes. I've owned just about all of the major brands throughout the years including Apple, Samsung, Nexus, LG, HTC, and now OnePlus. My wife and I have a OnePlus3 and 5T respectively. Zero issues. Both on Oreo. She cracked her screen on the OP3 out of warranty. $96 shipped and it was completely fixed with a two week turn around by OnePlus. Not a bad deal. I've had no issues with their customer service. Phones are stupid snappy and OxygenOS is the best of stock Android with some nice tweaks. It's a shame others are afraid to try other products or bash without even giving them a try.
Ouch.