In this day and age of connected systems and online transactions, cybersecurity is of paramount importance. Unfortunately, systems are designed by people and are prone to vulnerabilities and flaws. OnePlus has now disclosed a data breach incident, wherein it says some users' order information was “accessed by an unauthorized party.” This was disclosed in a blog post where OnePlus’ security team staff member Ziv C. posted the information. As per the company, breached information doesn’t include any payment information and passwords, and says that all the accounts are safe. However, names, contact info, email and shipping address ‘may’ have been revealed.
As for the effects of this data breach, OnePlus says affected users could receive phishing emails or get spammed as a result. However, it has not disclosed how many users were actually affected. “We took immediate steps to stop the intruder and reinforce security. Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident,” OnePlus writes in its blog post. The company has apologised and says it has inspected its website for similar flaws and has sent out emails to all affected users. The weird bit is that the company has not disclosed any further details like what vulnerability led to information disclosure.
As mentioned earlier, this isn’t the first time OnePlus has suffered from a security incident. Back in January 2018, the smartphone manufacturer revealed that about 40,000 customers' credit card information was stolen from its website. This apparently happened due to a malicious script that was inserted on the company’s web pages. It is said to have read and sent sensitive financial data directly from a user’s browser.
While the credit card information leak was a big blow to the company’s security, it again slipped up with user’s data. In June this year, the company’s Shot On OnePlus app was found to have a flaw that was leaking email IDs of thousands of OnePlus smartphone users. OnePlus was reportedly using an API to connect its server with the Shot on OnePlus app and the API was hosted on open.oneplus.net, which was said to be not secure. Anyone with an access token, which could be retrieved easily, could enter the server. You can read more about it here.