Chinese smartphone manufacturer OnePlus announced Friday it experienced a security breach that may have resulted in the credit card information of more than 40,000 customers being stolen.
The breach is believed to have taken place sometime in November and was discovered in the last week, resulting in the temporary shut down of credit card payments in the company’s online store earlier this week. OnePlus has been working with a third-party security firm to look into how the apparent security breach occurred.
While details are sparse for the time being, it appears that hacker were able to plant a script on a payment processing server operated by OnePlus. It isn’t clear yet if the breach occurred remotely or if the attacker managed to get physical access to the server to plant the malicious code.
The script was capable of stealing data provided by customers to OnePlus to complete transactions. It’s believed the script was running on the server for the better part of two months before it was discovered.
While it was running on the OnePlus sever, the malicious code was able to access a plethora of customer information including full credit card numbers, expiration dates and security codes—all hijacked directly from the user’s browser window as they entered the information.
In a notice posted on the company’s forums, OnePlus provided some additional information to its customers regarding the breach. The company said the script operated “intermittently” while it was on the server and the infected system has since been quarantined so payments can continue.
The company also said the only customers affected by the attack are those who entered their credit card manually. Those who used a saved credit card, a credit card processed through PayPal or paid directly with a PayPal balance should not have been affected by the breach.
While that narrows the number of people hit by the breach, it still resulted in more than 40,000 customers being exposed and having their credit card information stolen. OnePlus noted those victims “represent a small subset” of the company’s total customer base, but that is likely to be little comfort for those who had their information compromised.
OnePlus is in the process of reaching out to those who were affected by the breach. It will be extending an offer of one year of free credit monitoring services to the victims and will work with local law enforcement on cases of credit card theft.
Credit card payments in the OnePlus online store will remain suspended for the duration of the company’s investigation into the breach. Payments for devices and other products offered through the store will only be available to be made through PayPal.
Despite the setback, OnePlus does not appear interested in changing its strategy of selling directly to consumers. The company intended to continue selling through its website rather than through other marketplaces like Amazon.