OnePlus Attackers Steal Credit Card Data From 40,000 Customers

Days after receiving initial reports about fraudulent activity, the mobile phone vendor reveals that attackers were able to get a malicious script onto its website that stole user credit card information.

Data Breach Alarm

Mobile phone vendor OnePlus announced on Jan. 19 that it was the victim of a security breach that exposed credit card information of up to 40,000 customers.

The admission that there was a data breach comes three days after OnePlus announced that it was temporarily disabling credit card payments on its website. OnePlus disabled the credit card payments on Jan. 16, after receiving reports from customers that they were seeing unknown credit card charges after buying something online from OnePlus.

"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered," OnePlus stated in an advisory on the breach.

The attack appears to had been ongoing from mid-November 2017 until Jan. 11, 2018, OnePlus said. According to the company, credit card information (card numbers, expiration dates and security codes) that was entered on the site may have been compromised. Users who saved their credit card information on the site, as well as those who use PayPal, do not appear to be impacted by the breach, however.

OnePlus' investigation into the data breach found that a malicious script was operating intermittently on the site. The script was able to capture data from end users' web browsers and then send that data to the attacker. According to OnePlus, it has now eliminated the immediate risk. 

"We have quarantined the infected server and reinforced all relevant system structures," OnePlus stated.

What remains unclear is how the malicious script got onto the OnePlus server in the first place and why it wasn't caught by security technology. The company is now working with its technology providers as well as law enforcement to further investigate the security incident.

"We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit," OnePlus stated. "All these measures will help us prevent such incidents from happening in the future."

Chris Morales, head of security analytics at Vectra, said he is impressed with the expediency and thoroughness OnePlus is taking in providing its customers with a breach notification. That said, Morales noted that while it is unfortunate that the breach occurred, it is not at all surprising.

"This breach should be a reminder that HTTPS, while encrypted, is not a guarantee of a secure transaction as attackers can compromise the systems at both ends of any encrypted conversation," Morales told eWEEK.

What Should End Users Do?

OnePlus recommends that its customers check their credit card statement and immediately report any unrecognized charges. The company will also be providing credit card monitoring services to impacted customers.

"Unfortunately, there is not much a consumer can do to prevent being victimized as part of a breach," Shawn Kanady, principal security consultant at security Trustwave, told eWEEK.

Kanady added that online shopping will always be risky for the consumer so it becomes more of an awareness and detection issue for the everyday shopper. In his view, the key is to understand the risk and set up some safeguards.

Among the online safeguards that Kanady recommends for online shoppers are the following:

  • Set up text-based alerts on your bank/credit account for any transaction over a certain dollar amount. It could be $1.
  • Set up accounts that are only used when shopping online. Segregating your accounts will prevent fraud on your high-value accounts like your checking account.
  • Do not opt-in on saving your credit card information for later billing.
  • Use prepaid cards or a PayPal account for online shopping, allowing for an extra layer between the attacker and your real accounts.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.