Responding to reports of an alleged credit card data breach, OnePlus confirmed that nearly 40,000 customers were affected by the cyber attack.
“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users,” said OnePlus on its form.
1. What happened
One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
- The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
- We have quarantined the infected server and reinforced all relevant system structures.
2. Who's affected
3. What you can do
4. What we are doing
We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.
We would like to thank the community for bringing the issue to our notice..
- Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
- Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
- Users who paid via a saved credit card should NOT be affected.
- Users who paid via the "Credit Card via PayPal" method should NOT be affected.
- Users who paid via PayPal should NOT be affected.
- We have contacted potentially affected users via email.
3. What you can do
- We recommend that you check your card statements and report any charges you don’t recognize to your bank. They will help you initiate a chargeback and prevent any financial loss.
- For enquiries, please get in touch with our support team at https://oneplus.net/support.
- If you notice any potential system vulnerabilities, please report them to [email protected]. This is a monitored inbox, but please note, we may not be able to respond to all reports.
4. What we are doing
We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.
We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.
- Who might be affected?
The reports have come from some customers who made credit card payments directly on oneplus.net (without involving a third party such as PayPal). We are investigating each report.
- Is my credit card info stored on oneplus.net?
No. Your card info is never processed or saved on our website - it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.
- What about the "save this card for future transactions" feature?
If you checked the "save this card for future transactions" while making a payment, all this means is that our payment processing partner encrypted and securely stored your card info and sent us a few digits (for identification purposes; see image below), plus a "token" - a string of symbols that represents your card. This token is stored in our system, but it's impossible for us to decrypt it and access your card info. Next time you make a payment at oneplus.net, this token will be recognized by our payment processing partner, who then fetches your original card info from their secure vault and uses it for payment processing.
- Is oneplus.net affected by the Magento bug?
Source: https://blog.sucuri.net/2015/04/impacts-of-a-hack-on-a-magento-ecommerce-website.html
Oneplus.net was initially built on the Magento eCommerce platform. However, since 2014 we have been re-building the entire website with custom code, and credit card payments were never implemented in Magento's payment module at all. So no, we shouldn't be affected.
Oneplus.net was initially built on the Magento eCommerce platform. However, since 2014 we have been re-building the entire website with custom code, and credit card payments were never implemented in Magento's payment module at all. So no, we shouldn't be affected.
- What about the forum cases?
Payment fraud is a perennial concern with all online payments. If you notice suspicious charges in your card statement, contact your bank immediately so they can reverse the payment. Our website is HTTPS encrypted, so it's very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit.
- What can I do?
If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss.
- What next?
This is an ongoing investigation. We are working with our third-party providers, and will update you on our findings as they surface. Information security is a very serious topic, and it has always been one of our top priorities. If you have any suggestions or comments, please send them to [email protected].
We would like to thank the community for bringing the issue to our notice..
What should customers do?
Customers should check their credit card statements and immediately report any transaction that you don’t recognize. Customers can reach out to the company on their support page or write an email to [email protected]
This post gives a piece of excellent information. Keep sharing this blog.
ReplyDeleteDevOps course in Tambaram
DevOps Training in Anna Nagar
DevOps Training in T Nagar
DevOps Training in Porur
DevOps Training in OMR