After learning that fraudulent charges were appearing on its customers' credit cards, smartphone maker OnePlus disabled support for credit card payments and launched an on-going investigation. The preliminary results are in, however, and they're definitely concerning. In a statement released today, OnePlus said credit card information belonging to up to 40,000 customers was captured by a malicious (and currently unknown) actor between November 2017 and mid-January 2018.
OnePlus hasn't confirmed the number of customers whose captured payment information has been used for fraudulent purchases, noting instead that the number of affected users represented a "small portion" of its customer base. While it's true that millions of OnePlus smartphones have been sold since the Oppo spin-off set up shop in 2014, that's likely little consolation for the people directly involved. As a result of the breach, OnePlus says it's continuing to work with law enforcement, and will offer a year of free credit monitoring to all affected users.
But how did all this happen in the first place? According to a company spokesperson, a malicious actor gained access to one of its servers and injected a script that captured people's credit card information as it was typed into the site's payment form. While some originally suspected OnePlus' payment processor was to blame for the issue, it appears that the credit card payment process worked exactly as it was supposed to. Once entered, the payment data was subsequently encrypted and transmitted to the company's payment processor as usual — the script seized on a window of opportunity and captured the information before it could be encrypted in the first place.
That means customers who paid via PayPal aren't affected by the breach, and people who paid with previously saved credit card details should not be impacted because they didn't manually input the information.
While OnePlus' statement sheds much-needed light on the situation, some of the most crucial details either haven't been unearthed or have not yet been revealed. An investigation into potential culprits is still ongoing, and while a spokesperson insists only one server was affected, he was unable to confirm whether the vulnerability existed in other company-owned servers as well. That same spokesperson said the company is trying to be "as transparent as possible" with its customers, but would not say if the full results of the investigation would be released once the process has been concluded.
OnePlus has said in the past that its strategy for growth in a highly competitive market is simply to build great products. While it's true we — and quite a few others — have been fond of OnePlus hardware, multiple gaffes in the past year have given the company's fans reason to be concerned. This past November, an app called EngineerMode allowed root-level access to anyone who had physical access to your OnePlus phone, and the month before that, concerns about OnePlus devices phoning home with usage data made the rounds. Throw in a bug that forced some OnePlus 5s to reboot while on emergency calls from this past summer and it seems that the company is suffering from a serious — and troubling — lack of attention to detail.