40,000 Impacted by OnePlus Breach: What to Do
OnePlus has confirmed as many as 40,000 customers may have been affected in a data breach on its store that emerged between November and January. Here's what to do if you're one of them.
Editors' Note: We've updated this report with comment from OnePlus.
Earlier in the week, we learned OnePlus’ online store was compromised following reports of fraudulent charges on customers’ payment accounts after completing purchases on the phone maker’s site. As it turns out, as many as 40,000 customers may have been affected.
OnePlus sought the insights of a third-party security agency following the initial reports, who discovered a script running on one of the servers responsible for handling transactions on the company’s website. Despite the fact that OnePlus said earlier that customers’ payment data is "never processed or saved" on its site, this script was able to lift everything — card numbers, security codes, and expiration dates — right from the text fields before checkout.
Shortly after customers began noticing fraudulent transactions on their own statements, OnePlus stopped allowing payment via credit cards. The company says users who purchased items from its website between mid-November and Jan. 11 stand at risk, though not if they used a credit card saved before that time or any of the PayPal-related payment options.
MORE: What to Do After a Data Breach: A Step-by-Step Guide
OnePlus says it has eliminated the malicious script in question and stopped using the infected server, so the problems shouldn’t persist. Nevertheless, if you believe you’re at risk, our recommendations remain the same: Check your statements carefully and report anything suspicious to your card issuer. You're almost certainly off the hook for any fraudulent use as long as you report what you've seen in a reasonable timeframe.
It would be easy to recommend prospective OnePlus customers buy the company’s products somewhere else for the time being, but unfortunately OnePlus doesn’t partner with any third-party retailers. If you decide to buy something, your only option for now is PayPal, which should continue to work safely as it doesn’t require you to enter any sensitive information that would be potentially intercepted before it reaches OnePlus' servers.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
OnePlus has stated it is working on replacing the existing payment platform with something more secure. When asked how long that might take, a representative told Tom's Guide that while the company "cannot offer an exact timeline," it is "working on removing [its] systems entirely from the payments process."
"We’ve worked with a cybersecurity firm to conduct a full security audit and are testing our new payments solution," the spokesperson added. "In the meantime, customers will have the PayPal option to purchase products."
If you have any questions, OnePlus’ FAQ on the matter hosted on its community forums describes the breach in greater detail, and offers resources for those whose information has been compromised. The company says it has reached out to these users via email, and according to The Verge, it will provide them with free credit card monitoring for a year.
Best Identity Protection Services
Best Overall
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Best Tools
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.
Adam Ismail is a staff writer at Jalopnik and previously worked on Tom's Guide covering smartphones, car tech and gaming. His love for all things mobile began with the original Motorola Droid; since then he’s owned a variety of Android and iOS-powered handsets, refusing to stay loyal to one platform. His work has also appeared on Digital Trends and GTPlanet. When he’s not fiddling with the latest devices, he’s at an indie pop show, recording a podcast or playing Sega Dreamcast.