clock menu more-arrow no yes

Filed under:

OnePlus discloses data breach, less than two years after the last one

New, 8 comments

But the company won’t say how many are affected

Photo by Jon Porter / The Verge

OnePlus has suffered a data breach: the company says an “unauthorized party” accessed some customers’ order information. In a statement, OnePlus says some customer names, contact numbers, emails, and shipping addresses “may have been exposed,” but also that “all payment information, passwords and accounts are safe.” The company began notifying affected customers today.

In an FAQ, the company says the breach was discovered last week, and that it has “inspected our website thoroughly to ensure that there are no similar security flaws.” That suggests the breach happened through the OnePlus website, perhaps the online store, rather than its phones.

The company said that it took “immediate steps to stop the intruder and reinforce security” and to make sure there weren’t similar vulnerabilities, but it hasn’t explained why it took more than a week to disclose the incident (or why it waited to do so until the Friday before a major US holiday). The company also apparently isn’t answering questions: when we asked how many customers may have been affected, OnePlus simply shared a similar statement to the one it posted online without any additional information.

Despite the idea that your name, phone number, and personal address may have all been exposed, OnePlus’s FAQ pretends that the worst that might happen is this:

What are the consequences?

Impacted users may receive spam and phishing emails as a result of this incident.

This isn’t OnePlus’ first security incident — in January 2018, the company said that up to 40,000 customers had been affected by a security breach that caused customers’ credit card information to be stolen.

OnePlus did say in its FAQ that, as part of its efforts to upgrade its security program, it will be partnering with a “world-renowned security platform next month” and will launch a bug bounty program by the end of December. Maybe it should have done that after the first breach.