OnePlus suffers data breach, exposing personal details of online store customers

OnePlus cubelogo

OnePlus has issued a security notice to customers that have used its online store, informing them that their order information has been accessed by an unnamed third party in a security breach.

The company is giving away very little in the way of details about the incident. It is not clear when the data breach happened, who may be responsible, or how many customers are affected. OnePlus says that information such as names, phone numbers, email addresses and shipping addresses have been exposed.

See also:

While OnePlus says that customers' payment information and passwords are safe, the data that has been accessed is still enough to be worrisome. What has been exposed would be more than enough to launch phishing attacks, and OnePlus acknowledges this possibility in a security notice about the breach.

This is not the first time that the OnePlus store has proved to be a little leaky. Back at the start of 2018, there was another security incident involving the company's online payment portal. While customers are now complaining that OnePlus does not seem to have learned from the mistakes of the past, the company says it plans to launch a bug bounty program by the end of the year.

In a message posted on the OnePlus forums, the company's security team says:

This is Ziv, from the Security team. We want to update you that we have discovered that some of our users' order information was accessed by an unauthorized party. We can confirm that all payment information, passwords and accounts are safe, but certain users' name, contact number, email and shipping address may have been exposed. Impacted users may receive spam and phishing emails as a result of this incident.

We took immediate steps to stop the intruder and reinforce security. Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident.

We are deeply sorry about this, and are committed to doing everything in our power to prevent further such incidents. Please contact us with any questions or concerns at Customer Support.

An email sent out by the company expanded upon this notice somewhat, but still does not give away a great deal of information about the incident. The full text of the email sent out to affected OnePlus customers reads:

We are reaching out to you directly as we have discovered that part of your order information was accessed by an unauthorized party. We can confirm that your payment information, password and account are safe, but your name, contact number, email and shipping address may have been exposed.

We took immediate steps to stop the intruder and reinforce security. Right now, we are working with the relevant authorities to further investigate this incident and protect your data.

We wanted to notify you of this so that you can be alert to people pretending to be OnePlus to get further information from you, or people asking you to buy products or services from them. OnePlus will never ask you for your passwords, and any financial information should only be provided via a secure payment page on the OnePlus website or one of our partners if you are buying products from us.

We are deeply sorry about this, and are committed to doing everything in our power to prevent further such incidents. We will continue to investigate and update you as we learn more. In the meantime, please contact us with any questions or concerns at Customer Support.

The company has published an FAQ but, again, little detail is contained within it:

What happened?
While monitoring our systems, our security team discovered that some of our users' order information was accessed by an unauthorized party. We can confirm that all payment information, passwords and accounts are safe, but the name, contact number, email and shipping address in certain orders may have been exposed.

What information was exposed?
The name, contact number, email and shipping address within certain orders may have been exposed.

I received an email saying that my information was leaked. What can I do now?
There is no additional action required on your part for now, but please be aware that you may receive spam and phishing emails as a result of this incident.

What have you done in response?
We took immediate steps to stop the intruder and reinforce security, making sure there are no similar vulnerabilities. Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident.

How do I know if my information was involved?
We understand that personal information is very important to our users, and all impacted users were notified via email. If you don't get an email from us today, rest assured that your order information is safe. However, if you have further concerns, please contact us at oneplus.com/support for assistance.

What will you do to improve information security?
We've inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program -- we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December.

Image credit: In Green / Shutterstock

© 1998-2019 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.