OnePlus UK has announced that it recently suffered an unauthorised access into its systems that resulted in cyber criminals stealing names, contact numbers, email addresses, and shipping addresses of an undisclosed number of customers.
OnePlus said in a detailed statement on its website that customers affected by the breach of personal information have already been notified via email and those who have not been notified yet have not been affected.
The Chinese company also said that it will soon be partnering with a world-renowned security platform and will launch an official bug bounty programme by the end of December.
"Last week while monitoring our systems, our security team discovered that some of our users' order information was accessed by an unauthorized party. We can confirm that all payment information, passwords and accounts are safe, but the name, contact number, email and shipping address in certain orders may have been exposed.
"We took immediate steps to stop the intruder and reinforce security, making sure there are no similar vulnerabilities. Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident.
"We've inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program - we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December," the company said.
OnePlus' checkout page also leaked payment card details of buyers
This is not the first time that OnePlus has suffered a security incident that resulted in the compromise of customers' personal or financial information. In January last year, security firm Fidus revealed how OnePlus' checkout page that accepted payments from visitors featured security vulnerabilities due to PCI non-compliance as well as for not using iFrame by third-party payment processors. These vulnerabilities could enable hackers to intercept financial details of customers before they could be encrypted.
According to PCI requirements, website owners are required to use iFrames by third-party payment processors as such pages are encrypted and any details added by customers cannot be intercepted by hackers. However, after reports of several OnePlus customers complaining about their credit card details being accessed by third parties emerged, the researchers decided to investigate.
"Interestingly enough, the payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker.
"Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted," they noted.
Image source: Oneplus.in