OnePlus minus 40,000 credit cards: Smartmobe store hacked to siphon payment info to crooks

Chinese biz scrambles to tear down injected theft script

By Shaun Nichols in San Francisco

Posted in Personal Tech, 19th January 2018 19:48 GMT

OnePlus today confirmed thieves siphoned tens of thousands of people's credit card numbers from its online store.

The Chinese phone company admitted after a week of probing that about 40,000 of its customers had their payment card details nicked while buying stuff from its web shop.

Crooks were quick to start plundering victims' accounts using the swiped information, going on shopping sprees with the stolen card data.

Here's how it went down: one of the store's servers was hacked, and its code modified so that between mid-November, 2017, and January 11 this year, bank card details typed into oneplus.net by shoppers were copied and sent over to miscreants.

Specifically, the software was tampered with to harvest the numbers, names, and security codes on cards before they were encrypted and sent to OnePlus's payment processor. The server has since been quarantined, and the malicious code removed.

OnePlus said people who opted to use PayPal were not affected, nor was anyone who had paid with a credit card they had "saved" to the site before November 11, because those cards had been encrypted by the payment provider and saved only as tokens by OnePlus.

OnePlus has sent out emails alerting punters whose information was handed over to hackers, and said it is "looking for a suitable way" to give the affected shoppers a free year of credit monitoring. Needless to say, anyone who gets one of these messages would be well advised to have their card cancelled and replaced.

Here's what was mailed to customers earlier today:

Dear user,

We are deeply sorry to inform you that following an attack on our systems, your credit card data may have been compromised. This data includes the card number, expiry date and security code that you entered at oneplus.net.

As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems.

We recommend that you check your card statements and report any charges you don't recognize to your bank. They will help you initiate a chargeback and prevent any financial loss. If you run into any problems, or need further guidance, don't hesitate to reach out to us.

Meanwhile, we are looking for a suitable way to offer one year's credit monitoring to affected users. Credit monitoring is a service that alerts you to any abnormal or fraudulent use of your credit card. We will be in touch over email with details on how to claim your credit monitoring.

Once again, we cannot apologize enough for this incident and the trouble it may have caused you. We have informed the relevant authorities to monitor your card status, and will take measures to ensure this never happens again. If you have any questions, our customer support team is available at support@oneplus.net.

Our deepest apologies,

The OnePlus Team

The investigation began at the weekend after folks on the OnePlus forums complained about unauthorized charges on their cards occurring after they had made a purchase on OnePlus.net.

"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus staff explained to customers on its forums.

"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.

"We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down."

Critics may note that OnePlus has previously given indications of playing fast and loose with computer security. The mobe maker was found last year to have shipped handsets with factory diagnostic backdoors left active and, just days before this investigation was kicked off, OnePlus admitted it had accidentally gave some international customers a China-exclusive app that relayed clipboard-related data back to Alibaba servers. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

OpenStack Foundation starts scoping machine learning enhancements

OPENSTACK SYDNEY Users want it and NVIDIA's already sniffing around

Wanna spend a day getting deeply hands-on with machine learning?

Events Two workshops added to MCubed agenda

Another AI attack, this time against 'black box' machine learning

The difference between George Clooney and Dustin Hoffman? Just a couple of pixels

Machine-learning startup Perspica to be crushed into Cisco's analytics biz

Staff will be folded into January acquisition AppDynamics

Splunk goes native with machine learning, aims to speed up monitoring

Analytics biz eyes up fraud and IoT markets

Need to get up to speed on machine learning, AI?

Just 25 conference tickets left for MCubed

Machine learning newbs: TensorFlow too hard? Kick its ass with Keras

New version 2 integrates better with Google's tough but essential software library

Every time Apple said 'machine learning', we had a drink andsgd oh*][

WWDC Yasss Steve i mean Tim... sorry... tell ush moar ab, ab, aboat aaye eye

Sophos to assimilate Invincea's intelligent machine tech to fight malware

Machine learning IP snapped up in $100m deal

Machine learning? AI? How we learned to relax at MCubed

Events Reg conference shows humans how to stay in driving seat