OnePlus has confirmed it has suffered a data breach exposing sensitive details including customers’ contact numbers, names and addresses. In a statement, OnePlus admitted that hackers had accessed some of its customers’ order data but claimed payment information, passwords and accounts “are safe.”
OnePlus’ customers are being informed of the breach via email, which started to hit people’s inboxes yesterday (November 22). If you haven’t received a notification yet, OnePlus says you have not been affected.
An FAQ states that OnePlus found some users’ order information was “accessed by a third party” while monitoring its systems. No specific details are provided but it appears the breach took place through OnePlus’ online store, rather than its smartphones. The Chinese firm has not confirmed how many customers are affected.
OnePlus’ statement reads: “We took immediate steps to stop the intruder and reinforce security. Before making this public, we informed our impacted users by email. Right now, we are working with the relevant authorities to further investigate this incident.”
OnePlus hack: What to do
OnePlus said users might receive spam and phishing emails as a result of the incident. However, it could be worse.
“The data potentially stolen, like your name and address can’t be easily changed,” points out ethical hacker John Opdenakker. Among the risks of this data being exposed, criminals can use this information to create phishing mails that appear legit, he says.
Worse, he warns, the kind of information stolen can also be abused to impersonate you and gain access to other accounts.
Taking this into account, even though OnePlus claims password data was not accessed, it makes sense to change your password now. “If you have an account with OnePlus, make sure that you change your password,” security researcher Sean Wright advises. He recommends using a unique “strong (long) password for each of your services, along with a password manager.”
In addition, says Wright: “Sign yourself up to credit monitoring to ensure no rogue accounts are opened in your name.”
OnePlus breach: Not the first time
It’s not an ideal situation for any OnePlus customer to be in, and it’s not the first time the firm has been breached. In January 2018, the Chinese manufacturer was hacked, with criminals stealing credit card information from 40,000 OnePlus customers. The news came after hundreds of customers reported fraud on their accounts after paying over the OnePlus website.
OnePlus has seen great success particularly with its OnePlus 7 series and this year became one of the top five global companies in the premium category.
But given the speed at which the company has grown, it really does need to improve its security. “I do question what happened given that this is the second incident in a relatively short amount of time,” says Wright. “Companies need to learn from their mistakes to ensure that they don’t suffer another breach.”
The company knows its security is not as good as it should be, and its FAQ states that it will be partnering with a “world renowned security platform” and will launch a bug bounty programme this year.
However, with Black Friday approaching, OnePlus deals are already emerging on the online store. It goes without saying that you should be careful when making any purchases, and use another means of paying such as PayPal or Apple Pay when you shop online.
Opdenakker recommends people provide “only the strict minimum of personal data” for any online account. “If possible, use a shipping address which is not your home address. Ask yourself whether a particular website really needs personal data like your phone number or birth date. Very often the answer is no, and you should not provide this data, or enter fake information.”