CHINESE PHONE MAKER OnePlus has said that 40,000 customers were affected by the breach that forced it to stop accepting credit card payments on its website.
OnePlus on Friday emailed an update to its customers, saying that 40,000, or a "small subset" of its total customer base", were potentially affected. It remains unclear, however, how many saw their payment information used for fraudulent purchases.
The findings of its ongoing investigation, which it's carrying out with a third-party security firm, reveal that malicious script was injected into the OnePlus.net payment page code, and allowed the as-yet-unknown attackers to see customer's credit card numbers, expiration dates, and security codes.
While customer reports of fraudulent purchases have only started to show up in the past week, OnePlus says that the script has been running since November - just ahead of the launch of the OnePlus 5T.
This means that those who made a purchase on the OnePlus website between November 2017 and 11 January 2018 may be at risk. However, the firm notes that those who paid via PayPal, or who paid with previously saved credit card details, should not be impacted.
"We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down," OnePlus said.
"We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident. We are working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future."
The firm notes that it's offering affected customers and offering a year of credit monitoring service for free, and advises that those who believe they're at risk check bank statements for any suspect charges.
Credit card payments will remain suspended on the OnePlus.net store until the investigation is complete, with customers able to purchase items through PayPal in the meantime. µ
Lawyers, start your engines
Classic clumsy cloud configuration creates cryptojacking challenge
And it's not even Alexa enabled
Expect Snapdragon 845, bezel-free screens and, er, no headphone jack