Chinese smartphone maker OnePlus has suffered a new data breach exposing personal and order information of an undisclosed number of its customers, likely, as a result of a vulnerability in its online store website.
The breach came to light after OnePlus started informing affected customers via email and published a brief FAQ page to disclose information about the security incident.
According to OnePlus, the company discovered the breach just last week after an unauthorized party accessed order information of its customers, including their names, contact numbers, emails, and shipping addresses.
“Last week while monitoring our systems, our security team discovered that some of our users’ order information was accessed by an unauthorized party,” the company said.
OnePlus also assured that not all customers were affected and that the attackers were not able to access any payment information, passwords, and associated accounts.
“Impacted users may receive spam and phishing emails as a result of this incident.”
Though the company did not provide any detail of the vulnerability that attackers exploited to compromise its store, it did inspect the server thoroughly to ensure there aren’t any other similar vulnerabilities.
“We took immediate steps to stop the intruder and reinforce security, making sure there are no similar vulnerabilities,” OnePlus said. “Right now, we are working with the relevant authorities to further investigate this incident.”
As a result of this breach, the company has also finally decided to launch an official bug bounty program by the end of December 2019, allowing researchers and hackers to get paid for responsibly reporting severe vulnerabilities before hackers could do any further damage.
“We are continually upgrading our security program – we are partnering with a world-renowned security platform next month, and will launch an official bug bounty program by the end of December,” the company said.
Although the breach does not involve your OnePlus account password, you are still recommended to change the password for your account.
Affected OnePlus customers should also be suspicious of phishing emails, which are usually the next step of cybercriminals in an attempt to trick users into giving away their passwords and credit card information.
This isn’t the first time OnePlus has reported a data breach.
As The Hacker News reported back in January 2018, the company’s website was hacked by an unknown attacker to steal credit card information belonging to up to 40,000 OnePlus customers.