Signs of an attack on OnePlus’s payments page were reported on Reddit and the OnePlus forums, but it was researchers at Fidus who first concluded that either (1) OnePlus’s credit card payment gateway CyberSource was hacked, or that (2) the web store was compromised.
On top of that, the Fidus researchers discovered that OnePlus’s payments page wasn’t compliant with the UK Cards Association’s PCI-DSS standard, contrary to the company’s claims. One of the requirements of PCI-DSS is that a company’s servers must “encrypt transmission of cardholder data and sensitive information across public net”, but that didn’t appear to have been the case.
OnePlus says that its systems were attacked, and that a malicious script designed to sniff out credit card data as customers entered it had been injected into the payments page code, The team learned that the malicious script operated intermittently, capturing and sending data directly from users’ browsers to an offsite server.
OnePlus identified the script and removed it this week, and took the precautionary step of quarantining the infected server and “reinforcing all relevant system structures”. But it says that as many as 40,000 users might have been affected.
What is OnePlus doing now?
OnePlus apologized for the payments breach and says it’s “eternally grateful” to the community for identifying a pattern of fraudulent payments. The company’s reviewing logs and contacting people who might have been impacted by the breach, it says, and working with its payments provider and local authorities to prevent future incidents.
OnePlus also says it plans to implement a “more secure” credit card payment method on its website, and that it’s conducting an in-depth security audit to see if there are any other vulnerabilities attackers could be taking advantage of.
It’s too early to tell yet, but the company might be investigated by the PCI Security Standards Council for failing to encrypt payments information on its website. It might be fined, or potentially even barred from supporting credit card payments in future.