Hackers attack OnePlus again – this time stealing customer details

Hackers have once again successfully compromised the website of Chinese phone manufacturer OnePlus.

Back in January 2018 it was revealed that the credit card details of some 40,000 people using the OnePlus website had been stolen by hackers. On that occasion the attackers managed to inject a malicious script into an payment webpage that skimmed card data as it was entered by customers.

At the time OnePlus said it was conducting an indepth security audit of its systems.

The latest security incident, detailed by OnePlus in an FAQ on its website, isn’t as serious as the payment card breach – but could still lead to customers being put at risk by fraudsters and online criminals.

The cellphone manufacturer has confirmed that customers’ names, contact numbers, email addresses and shipping details have been accessed by an unauthorised party via a vulnerability on its website.

Fortunately, payment information and passwords have not been compromised.

OnePlus has not revealed just how many customers have been impacted by the data breach, but says that all affected users have been sent an email notifying them of the security incident.

Of course, even if your passwords and payment details haven’t been exposed in this latest hack – that doesn’t mean that users have nothing to worry about.

Online criminals could abuse users’ names and contact details to launch phishing attacks, spread spam, or even attempt to commit fraud over the telephone.

Of course, the challenge for affected users is that – unlike passwords – details such as your name and contact details can not be easily changed.

Customers are being advised to contact OnePlus’s support team for assistance if they have any concerns.

According to the company it has since patched the vulnerable website, and checked it for similar security flaws:

“We’ve inspected our website thoroughly to ensure that there are no similar security flaws. We are continually upgrading our security program – we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December.”

No details have been shared of the nature of the website vulnerability which allowed the hackers to access customer data, but OnePlus must realise that the patience of customers is not limited – and for a second serious security breach to have occurred in a relatively short period of time will have done nothing to strengthen users’ trust in the brand.

More transparency about what has occurred and how, combined with strengthened security, would go a long way to reassure customers who must be feeling rattled by this latest incident.

OnePlus says it has informed the authorities about the data breach and is working with the police to further investigate who might be responsible for the attack.