OnePlus Gives Update on Payments Breach, Says 40,000 Accounts Were Affected
About a week ago, we started seeing reports from OnePlus Store customers of fraudulent charges on their monthly credit card and bank account statements. As it turns out, there was an attack on the OnePlus website involving a malicious script injected into the payments page code. After acknowledging the issue and temporarily shutting down credit card payments on its website, the company issued an update on its investigation in a blog post.
Signs of an attack on OnePlus’s payments page were reported on Reddit and the OnePlus forums, but it was researchers at Fidus who first concluded that either (1) OnePlus’s credit card payment gateway CyberSource was hacked, or that (2) the web store was compromised.
On top of that, the Fidus researchers discovered that OnePlus’s payments page wasn’t compliant with the UK Cards Association’s PCI-DSS standard, contrary to the company’s claims. One of the requirements of PCI-DSS is that a company’s servers must “encrypt transmission of cardholder data and sensitive information across public net”, but that didn’t appear to have been the case.
What caused it?
OnePlus says that its systems were attacked, and that a malicious script designed to sniff out credit card data as customers entered it had been injected into the payments page code, The team learned that the malicious script operated intermittently, capturing and sending data directly from users’ browsers to an offsite server.
OnePlus identified the script and removed it this week, and took the precautionary step of quarantining the infected server and “reinforcing all relevant system structures”. But it says that as many as 40,000 users might have been affected.
Who was affected and what was compromised?
Any customer who used a credit card to purchase an item from OnePlus Store from mid-November 2017 to January 11, 2018 might have been affected by the breach, according to the company. The payments data compromised includes the credit card number, expiry dates, and security codes, and any other information required to complete a purchase.
There’s a silver lining, though. Customers who had credit cards on file with OnePlus but who didn’t make a purchase in that timeframe aren’t affected, and neither are users who paid with PayPal.
What should you do?
If you made a purchase on OnePlus’s website recently and are worried your information might have been stolen, the company recommends you contact its support team. Alternatively, if you come across what you think might be a vulnerability on the website, you’re encouraged to send a report to [email protected].
OnePlus is recommending customers check their bank and credit card statements, and that they report purchases they don’t recognize to their bank and/or credit card issuer. They’ll issue a chargeback to prevent any financial loss.
What is OnePlus doing now?
OnePlus apologized for the payments breach and says it’s “eternally grateful” to the community for identifying a pattern of fraudulent payments. The company’s reviewing logs and contacting people who might have been impacted by the breach, it says, and working with its payments provider and local authorities to prevent future incidents.
OnePlus also says it plans to implement a “more secure” credit card payment method on its website, and that it’s conducting an in-depth security audit to see if there are any other vulnerabilities attackers could be taking advantage of.
It’s too early to tell yet, but the company might be investigated by the PCI Security Standards Council for failing to encrypt payments information on its website. It might be fined, or potentially even barred from supporting credit card payments in future.