After revealing earlier this week that some OnePlus customers had found fraudulent transactions on their credit cards, OnePlus today shared the details of their investigation into this issue.
OnePlus says that a malicious script was inserted into the payment page code of its online store. This script would intermittently capture a customer's credit card data as it was being entered.
The issue was around for approximately two months, from mid-November 2017 to January 11, 2018. OnePlus estimates that up to 40,000 users have been affected. Customers credit card info, including card numbers, expiry dates, and security codes may be compromised. OnePlus is reaching out to the customers who have been affected and will offer a free year of credit monitoring to them.
OnePlus adds that customers who paid using a saved credit card from mid-November to January should not be affected. Customers who paid via the "Credit Card via PayPal" shouldn't be affected, nor should those who paid using PayPal.
This is a serious issue, and 40,000 people is not a small amount to be affected by this breach. OnePlus says that it's working with providers and authorities to address the incident and that it's also working with its payment providers to offer a more secure credit card payment method. An in-depth security audit will occur as well.