One Plus has announced that its website was compromised and up to 40,000 users credit card details may have been stolen during the attack.
Earlier this week, several OnePlus users who had used their credit card to shop at the OnePlus online store complained that they were seeing fraudulent transactions on their credit cards. OnePlus at that time said they were investigating the the claims.
"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit info while it was being entered," a OnePlus staff posted on the company's online forum on Friday. "The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated."
The company said that only those who entered their credit card details on the website between "Mid-November 2017 and January 11, 2018" would potentially be affected. However, those who paid using their saved credit card details or Paypal, or accessed Paypal directly should not be affected by the breach.
"We cannot apologize enough for letting something like this to happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down," forum post read.
OnePlus customers who had put their credit card details on the OnePlus website between November 2017 and January 2018, should request a new credit card from their bank even if they haven't seen any fraudulent transactions.
OnePlus say that they are in "contact with potentially affected customers" and are working with their "providers and local authorities to better address the incident". However, OnePlus recommend that users check their statements, report any incident also request for a chargeback in the case of any fraudulent transactions.
"We recommend that you check your card statements and report any charges you don't recognize to your bank. They will help you initiate a chargeback and prevent any financial loss," OnePlus said.