Chinese smartphone maker OnePlus recently announced that up to 40,000 of its customers would be affected by a security breach that has affected its online store and led to the suspension of credit card payments on its online shopping platform. The number of affected users represents a “small portion” of its customer base.
This announcement follows the complaints expressed by several customers of the brand on its forum. These complaints included the theft of bank card information, which had been used specifically to make purchases on the OnePlus website, and fraudulent banking transactions, some of which would have been subsequently suffered.
OnePlus uses Magento on its online shopping platform. When a transaction is made, rather than redirecting the buyer to the site of a bank, the page/app is hosted directly on the site of the manufacturer. The data is then transmitted to the financial institution and it is at this precise moment the attackers can steal the information from the bank cards just before the encryption procedure is started.
According to a spokesman of the company, a malicious person/hacker accessed one of their server and injected a script that captured people’s credit card information as typed into the site’s payment form. Usually the payment data was then encrypted and forwarded to the payment processor of the merchant/payment-provider ; However the script injected by hacker entered a window of opportunity and captured the information before it could be encrypted in the first place. This means that customers who have paid via PayPal are not affected by the breach, and people who have paid with previously saved credit card details should not be affected because they did not manually entered the information.
Credit card payments will remain suspended on OnePlus.net until the investigation is complete and the group is in the process of implementing a more secure credit card payment method before reactivating this method of payment. In the meantime, you can still use PayPal to buy items on the smartphone manufacturer’s website.