Chinese smartphone manufacturer OnePlus affected by data breach

The attackers managed to reach personal customer data due to website vulnerability

OnePlus data breach

OnePlus, the Chinese smartphone manufacturer, suffered a data breach that impacted some of its customers shopping on the online store – the precise number of victims is yet unknown. The reason for the intrusion was most likely an inadequately secured official website where customers can perform various purchases.

The internal security team spotted the data breach after an unauthorized party managed to gain access to some users’ order information, including names, shipping addresses, emails, and phone numbers. According to OnePlus FAQ[1] that was published shortly after the attack, no sensitive details like payment information, passwords, and other account data were impacted during the incident:

Last week while monitoring our systems, our security team discovered that some of our users’ order information was accessed by an unauthorized party. We can confirm that all payment information, passwords and accounts are safe, but the name, contact number, email and shipping address in certain orders may have been exposed.

OnePlus is one of many Chinese phone manufacturers that have customers in 34 countries all over the world – the produced goods are gaining popularity as the annual revenue of the company reaches $1.5 Billion per year.

OnePlus contacted the authorities before making the incident public

According to the forum post by OnePlus’ security team member Ziv,[2], the company took immediate action to mitigate the intrusion and established advanced security measures on the website to prevent further information leakage. Additionally, the company also contacted the relevant authorities to work on the investigation while trying to find more details about the attack vector and other information.

As of November 22nd, the affected users were sent security notifications to their emails, informing them about the data breach. According to the forum post, those who did not receive an email were not impacted by the breach.

While no financial or other sensitive data have been accessed, OnePlus claims that the information obtained due to the breach might be used in phishing emails or calls – malicious actors might use the acquired information to get even more details from victims. Additionally, the smartphone maker also warned that it would never ask users for their personal information via email or other means. 

However, the disclosure of the personal address, name, phone, and email might be much more serious than initially might seem, as the data might be used to obtain other user accounts or compile perfect scam emails. While passwords were not leaked, security experts recommend every OnePlus customer to change their passwords, especially if they are being reused on other accounts. Finally, to ensure the security of all accounts, it is advised using two-factor authentication along with strong passwords.

OnePlus promised improvements in its security

This is not the first time OnePlus suffered a data breach. Back in January 2018, multiple customers started flooding the forums with reports about suspicious activity on their credit cards soon after using them to purchase OnePlus phones. As it turned out, the smartphone maker was hacked, and more than 40,000 users had their credit card details exposed to the attackers.[3] Considering the company is only six years old, and already suffered two data breaches, it is obvious that significant improvements need to be made in order to protect the otherwise satisfied customers.[4]

In the aftermath of the incident, OnePlus said that it would partner up with one of the leading security platforms to increase its security and also launch a bug bounty program in December – the latter is practiced by most high-profile organizations worldwide.

Additionally, in the emails sent to the impacted customers, users received a direct apology:[5]

We are deeply sorry about this, and are committed to doing everything in our power to prevent further such incidents. We will continue to investigate and update you as we learn more. In the meantime, please contact us with any questions or concerns at Customer Support.