OnePlus minus 40,000 credit cards: Smartmobe store hacked to siphon payment info to crooks

Chinese biz scrambles to tear down injected theft script

By Shaun Nichols in San Francisco

Posted in Personal Tech, 19th January 2018 19:48 GMT

OnePlus today confirmed thieves siphoned tens of thousands of people's credit card numbers from its online store.

The Chinese phone company admitted after a week of probing that about 40,000 of its customers had their payment card details nicked while buying stuff from its web shop.

Crooks were quick to start plundering victims' accounts using the swiped information, going on shopping sprees with the stolen card data.

Here's how it went down: one of the store's servers was hacked, and its code modified so that between mid-November, 2017, and January 11 this year, bank card details typed into oneplus.net by shoppers were copied and sent over to miscreants.

Specifically, the software was tampered with to harvest the numbers, names, and security codes on cards before they were encrypted and sent to OnePlus's payment processor. The server has since been quarantined, and the malicious code removed.

OnePlus said people who opted to use PayPal were not affected, nor was anyone who had paid with a credit card they had "saved" to the site before November 11, because those cards had been encrypted by the payment provider and saved only as tokens by OnePlus.

OnePlus has sent out emails alerting punters whose information was handed over to hackers, and said it is "looking for a suitable way" to give the affected shoppers a free year of credit monitoring. Needless to say, anyone who gets one of these messages would be well advised to have their card cancelled and replaced.

Here's what was mailed to customers earlier today:

Dear user,

We are deeply sorry to inform you that following an attack on our systems, your credit card data may have been compromised. This data includes the card number, expiry date and security code that you entered at oneplus.net.

As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems.

We recommend that you check your card statements and report any charges you don't recognize to your bank. They will help you initiate a chargeback and prevent any financial loss. If you run into any problems, or need further guidance, don't hesitate to reach out to us.

Meanwhile, we are looking for a suitable way to offer one year's credit monitoring to affected users. Credit monitoring is a service that alerts you to any abnormal or fraudulent use of your credit card. We will be in touch over email with details on how to claim your credit monitoring.

Once again, we cannot apologize enough for this incident and the trouble it may have caused you. We have informed the relevant authorities to monitor your card status, and will take measures to ensure this never happens again. If you have any questions, our customer support team is available at support@oneplus.net.

Our deepest apologies,

The OnePlus Team

The investigation began at the weekend after folks on the OnePlus forums complained about unauthorized charges on their cards occurring after they had made a purchase on OnePlus.net.

"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus staff explained to customers on its forums.

"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.

"We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down."

Critics may note that OnePlus has previously given indications of playing fast and loose with computer security. The mobe maker was found last year to have shipped handsets with factory diagnostic backdoors left active and, just days before this investigation was kicked off, OnePlus admitted it had accidentally gave some international customers a China-exclusive app that relayed clipboard-related data back to Alibaba servers. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

Bell Canada Canucks it up again: Second hack in just eight months

Subscriber database plundered by miscreants once again

Bell Canada hacked: 2m account details swiped by mystery miscreants

Don't worry, no bank card info taken, eh

Canada fines Amazon seven hours of profit for false advertising

$840,000 punishment isn't even a tap on the wrist

Air Canada's network soars back up after Monday morning death dive

Computer outage leaves Canucks grounded

Braking news: Nissan Canada hacked, up to 1.1m Canucks exposed

Only beeping took 10 beeping days to admit it was been beep-beeping beep pwned

'Incomprehensible failure' – Canada's $1bn Phoenix payroll IT fiasco torched by auditors

Govt tech nightmare caused by bad bosses, poor planning

AI military upstart attacked by Russian malware, Twitter fires up TensorFlow, and more

Roundup Including bad news for IBM Watson Health

Canadian govt snoops emit their own malware detection tool, eh

Canuck NSA/GCHQ equivalent open-sources 'Assemblyline', to make us all as safe as Canada

Outbreak! Fake Amazon voucher offer seeds mobile malware attack

Get your Gaz-on

A Spectre flaw solution, Cloudflare blips, a bank cyber-heist in Canada, and more in infosec land

Roundup Also, the SEC takes aim at another shady ICO