Following an investigation into a credit card breach that affected its e-commerce website, OnePlus has announced that as many as 40,000 customers have had their credit card information stolen.
According to an official post on the OnePlus community forums, a malicious script was inserted into one of the company’s credit card processing systems. Working “intermittently,” the script was able to scrape full credit information, including card numbers, expiry dates and security codes. Its investigation has led OnePlus to believe the script was active between mid-November, 2017 and January 11th, 2018.
In a statement to The Verge, OnePlus said it has been able to determine with the assistance of an outside firm the point of entry an attacker used to plant the malicious script. However, the company has yet to discern whether the attack was conducted remotely, or if someone had local access to the relevant server.
To the best of the company’s knowledge, customers who used PayPal or a stored credit card to make a purchase on OnePlus.net during the almost three-month period where the script was active have not had their credit card information compromised.
OnePlus has emailed the customers it believes were affected by the breach. A spokesperson for OnePlus told The Verge’s Dan Seifert that the approximate 40,000 customers affected by the breach represent “a small subset” of its total customer base.
As recompense, the company is offering a year of credit monitoring service for free to affected customers.
“We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” said a OnePlus spokesperson on the company’s forums.
For the time being, credit card transactions on OnePlus.net will remain suspended until the company completes its investigation. Customers can continue to buy products from OnePlus.net using PayPal.