Editors' Note: We've updated this report with comment from OnePlus.
Earlier in the week, we learned OnePlus’ online store was compromised following reports of fraudulent charges on customers’ payment accounts after completing purchases on the phone maker’s site. As it turns out, as many as 40,000 customers may have been affected.
OnePlus sought the insights of a third-party security agency following the initial reports, who discovered a script running on one of the servers responsible for handling transactions on the company’s website. Despite the fact that OnePlus said earlier that customers’ payment data is "never processed or saved" on its site, this script was able to lift everything — card numbers, security codes, and expiration dates — right from the text fields before checkout.
Shortly after customers began noticing fraudulent transactions on their own statements, OnePlus stopped allowing payment via credit cards. The company says users who purchased items from its website between mid-November and Jan. 11 stand at risk, though not if they used a credit card saved before that time or any of the PayPal-related payment options.
OnePlus says it has eliminated the malicious script in question and stopped using the infected server, so the problems shouldn’t persist. Nevertheless, if you believe you’re at risk, our recommendations remain the same: Check your statements carefully and report anything suspicious to your card issuer. You're almost certainly off the hook for any fraudulent use as long as you report what you've seen in a reasonable timeframe.
It would be easy to recommend prospective OnePlus customers buy the company’s products somewhere else for the time being, but unfortunately OnePlus doesn’t partner with any third-party retailers. If you decide to buy something, your only option for now is PayPal, which should continue to work safely as it doesn’t require you to enter any sensitive information that would be potentially intercepted before it reaches OnePlus' servers.
OnePlus has stated it is working on replacing the existing payment platform with something more secure. When asked how long that might take, a representative told Tom's Guide that while the company "cannot offer an exact timeline," it is "working on removing [its] systems entirely from the payments process."
"We’ve worked with a cybersecurity firm to conduct a full security audit and are testing our new payments solution," the spokesperson added. "In the meantime, customers will have the PayPal option to purchase products."
If you have any questions, OnePlus’ FAQ on the matter hosted on its community forums describes the breach in greater detail, and offers resources for those whose information has been compromised. The company says it has reached out to these users via email, and according to The Verge, it will provide them with free credit card monitoring for a year.