OnePlus finds card-stealing malware on its payment server

Smartphone maker OnePlus has confirmed that the credit card details of up to 40,000 of its customers have been accessed by persons unknown, after a data-harvesting script was implanted in the company's payment portal.

OnePlus confirmed that it was investigating reports of credit card fraud on payment cards used to purchase its smartphones early last week, but at the time put the spotlight directly on its payment processor partner. 'Your card info is never processed or saved on our website - it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers,' a OnePlus representative claimed as the reason why the company could not be the direct source of the breach. 'If you checked the "save this card for future transactions" while making a payment, all this means is that our payment processing partner encrypted and securely stored your card info and sent us a few digits, plus a "token" - a string of symbols that represents your card. This token is stored in our system, but it's impossible for us to decrypt it and access your card info. Next time you make a payment at OnePlus.net, this token will be recognised by our payment processing partner, who then fetches your original card info from their secure vault and uses it for payment processing.'

While all that may be true, however, it turns out that the breach is indeed the result of failures at OnePlus itself and not its payment processing partner. 'One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered,' the company has confirmed in an update on its investigation. 'The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated. We have quarantined the infected server and reinforced all relevant system structures.'

According to OnePlus' internal investigation, users who entered their credit card information into the official website between November 2017 and early January this year are likely included in the breach, which it estimates covers around 40,000 customers. Anyone who paid with a saved credit card, PayPal, or with a credit card through PayPal 'should not be affected', the company has said.

'We cannot apologise enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,' the company has claimed. 'We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future.'

Thus far it's not clear if the attackers responsible for planting the malware on the payment server had access to any other parts of OnePlus' infrastructure.