OnePlus Says 40,000 Credit Card Numbers Were Stolen From Its Site

OnePlus Says 40,000 Credit Card Numbers Were Stolen From Its Site

Android phone maker OnePlus was forced to shut down credit card payments on its website last week after numerous reports from customers of fraudulent charges. Today, the company has announced the preliminary results of its investigation, showing that as many as 40,000 customers may have had their credit card details stolen. It turns out a malicious script has been hiding on its website for about two months.

According to OnePlus, an unknown attacker accessed one of its servers in mid-November and implanted a script, which siphoned payment details from customers when they entered their payment information in OnePlus’ online store. The stolen data included the card number, security code, and billing information. That’s everything you need to use the card. The code ran intermittently over the coming weeks until credit card payments were shut off on January 11th, 2018.

This was a well-timed attach, too. OnePlus released its newest phone, the OnePlus 5T, in November 2017. The phone started at $499 and packs much of the same hardware you get in more expensive phones like the Galaxy S8 and Pixel 2 XL. The malicious code was running on its servers during the initial rush of orders all the way through the holiday shopping season. Anyone who used a credit card on OP’s site during this time should assume their card is compromised. Those who used PayPal to buy their phone should be safe, though.

PayPal remains the only payment method.
PayPal remains the only payment method.

OnePlus says it has quarantined the affected server as the investigation continues. It’s not yet clear if the attacker was able to load the malicious script remotely or if they had physical access to the hardware. The company will provide more details when it has them, but customers whose details are known to be stolen are being contacted via email. Credit card payments on OP’s site continue to be disabled, but you can buy phones and accessories via PayPal.

Even if OP does not send an email, you should assume a card used on the site between November and the shutdown last week has been stolen. Just because there are no fraudulent charges yet doesn’t mean you’re in the clear. Your details could be sitting in a database that will be sold off in the coming weeks. OnePlus recommends those affected keep an eye on their statements, but that’s not really enough. If you used a card on OP’s site during the time it was compromised, it’s probably time to cancel the card.

Continue reading

NASA’s OSIRIS-REx Asteroid Sample Is Leaking into Space
NASA’s OSIRIS-REx Asteroid Sample Is Leaking into Space

NASA reports the probe grabbed so much regolith from the asteroid that it's leaking out of the collector. The team is now working to determine how best to keep the precious cargo from escaping.

MSI’s Nvidia RTX 3070 Gaming X Trio Review: 2080 Ti Performance, Pascal Pricing
MSI’s Nvidia RTX 3070 Gaming X Trio Review: 2080 Ti Performance, Pascal Pricing

Nvidia's new RTX 3070 is a fabulous GPU at a good price, and the MSI RTX 3070 Gaming X Trio shows it off well.

Astronomers Spot Earth-Sized Rogue Planet Wandering the Galaxy
Astronomers Spot Earth-Sized Rogue Planet Wandering the Galaxy

Astronomers have identified more than 4,000 exoplanets orbiting other stars but just a few "rogue planets" wandering the galaxy without a star to call home. A new study claims to have spotted one of these worlds, and it may be a small, rocky world like Earth.

RISC-V Tiptoes Towards Mainstream With SiFive Dev Board, High-Performance CPU
RISC-V Tiptoes Towards Mainstream With SiFive Dev Board, High-Performance CPU

RISC V continues to make inroads across the market, this time with a cheaper and more fully-featured test motherboard.