Earlier this week, numerous reports of credit card fraud started pouring in from OnePlus users. On the company’s forums, customers said that credit cards used to purchase a OnePlus smartphone recently were also seeing bogus charges, so OnePlus launched an investigation into the reports. It’s now a few days later, and the company has admitted that its servers were compromised—”up to 40,000 users” may have had their credit card data stolen.
OnePlus has posted a FAQ on the incident. “One of our systems was attacked,” the post reads. “A malicious script was injected into the payment page code to sniff out credit card info while it was being entered.” OnePlus believes the script was functional from “mid-November 2017” to January 11, 2018, and it captured credit card numbers, expiration dates, and security codes that were typed into the site during that time. Users who paid via PayPal or previously entered credit card information are not believed to be affected.
OnePlus says it “cannot apologize enough for letting something like this happen.” The company is contacting accounts it believes to have been affected via email, and OnePlus says it is “working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit.”