Personal Tech

OnePlus minus 40,000 credit cards: Smartmobe store hacked to siphon payment info to crooks

Chinese biz scrambles to tear down injected theft script

By Shaun Nichols in San Francisco


OnePlus today confirmed thieves siphoned tens of thousands of people's credit card numbers from its online store.

The Chinese phone company admitted after a week of probing that about 40,000 of its customers had their payment card details nicked while buying stuff from its web shop.

Crooks were quick to start plundering victims' accounts using the swiped information, going on shopping sprees with the stolen card data.

Here's how it went down: one of the store's servers was hacked, and its code modified so that between mid-November, 2017, and January 11 this year, bank card details typed into by shoppers were copied and sent over to miscreants.

Specifically, the software was tampered with to harvest the numbers, names, and security codes on cards before they were encrypted and sent to OnePlus's payment processor. The server has since been quarantined, and the malicious code removed.

OnePlus said people who opted to use PayPal were not affected, nor was anyone who had paid with a credit card they had "saved" to the site before November 11, because those cards had been encrypted by the payment provider and saved only as tokens by OnePlus.

OnePlus has sent out emails alerting punters whose information was handed over to hackers, and said it is "looking for a suitable way" to give the affected shoppers a free year of credit monitoring. Needless to say, anyone who gets one of these messages would be well advised to have their card cancelled and replaced.

Here's what was mailed to customers earlier today:

Dear user,

We are deeply sorry to inform you that following an attack on our systems, your credit card data may have been compromised. This data includes the card number, expiry date and security code that you entered at

As soon as we were made aware of the attack, we launched an urgent investigation. We suspended credit card payments and have been working with a cybersecurity firm to reinforce our systems.

We recommend that you check your card statements and report any charges you don't recognize to your bank. They will help you initiate a chargeback and prevent any financial loss. If you run into any problems, or need further guidance, don't hesitate to reach out to us.

Meanwhile, we are looking for a suitable way to offer one year's credit monitoring to affected users. Credit monitoring is a service that alerts you to any abnormal or fraudulent use of your credit card. We will be in touch over email with details on how to claim your credit monitoring.

Once again, we cannot apologize enough for this incident and the trouble it may have caused you. We have informed the relevant authorities to monitor your card status, and will take measures to ensure this never happens again. If you have any questions, our customer support team is available at

Our deepest apologies,

The OnePlus Team

The investigation began at the weekend after folks on the OnePlus forums complained about unauthorized charges on their cards occurring after they had made a purchase on

"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus staff explained to customers on its forums.

"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.

"We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down."

Critics may note that OnePlus has previously given indications of playing fast and loose with computer security. The mobe maker was found last year to have shipped handsets with factory diagnostic backdoors left active and, just days before this investigation was kicked off, OnePlus admitted it had accidentally gave some international customers a China-exclusive app that relayed clipboard-related data back to Alibaba servers. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

Insecure connections will break after June 30th. And it's acquired Hyperwallet, too

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Time to pay, Paypal pal Venmo! Oh no, haha, put away that wallet – just promise to be nice

Payment app pinky-swears to not trample people's privacy

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials

UPDATED Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong

Amazon tried to entice Latin American officials with $5m in Kindles, AWS credits for .amazon

Brazil, Peru snub cheap gifts, refuse to unblock dot-word

Malware targeting cash machines fetches top dollar on dark web

Demand massively outstrips supply, researchers find

PayPal, Google ordered to make suspected pirates walk the plank into freezing waters

Follow the money: Florida judge signs off on new IP attack

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

PayPal paid $US233m for company that leaked 1.6 million records

Canadian outfit TIO acquired in Feb 'fesses up to unauthorized access