Though reports of stolen credit card information and fraudulent purchases were only made in the past week, OnePlus says that the script that stole the data had been running on one of its payment processing servers since mid-November. The script was able to capture full credit card information, including card numbers, expiry dates, and security codes directly from a customer’s browser window. The company says it has determined where the exploit happened and has found the point of entry for the attacker, but the investigation remains ongoing. It’s not yet clear if the attack was done remotely, or if someone had physical access to the server to install the script.
In a forum post detailing the findings, OnePlus says the script operated “intermittently” and the infected server has been quarantined from the rest of the system. It also says that customers that paid via a saved credit card, a credit card processed via PayPal, or through a PayPal account should not have been affected by the breach.
A OnePlus spokesperson says that the 40,000 customers exposed to the attack “represent a small subset” of its total customer base. The company is reaching out to affected customers and offering a year of credit monitoring service for free. It is also working with local authorities during the investigation.
Credit card payments will remain suspended on the OnePlus.net store until the investigation is complete, with customers able to purchase items through PayPal in the meantime. OnePlus says it is working to implement a more secure credit card payment method before it re-enables them.
Last week, OnePlus CEO Pete Lau told CNET that it is exploring partnerships with US carriers, but a spokesperson confirmed that this security breach will not change anything in terms of OnePlus’ online sales strategy. The company currently does not have plans to move its store to Amazon or another e-commerce platform.