Currently any company is exposed to computer security incidents. This time, web application security experts report that OnePlus, a smartphone manufacturer based in China, has suffered a data breach that led to the exposure of some personal details of its customers.
Through a statement, the company mentioned that “an unauthorized actor accessed the information of recent orders from some customers”. The message specifies that these records include data such as:
- Full names
- Contact phone number
- Shipping address
- Email address
OnePlus also states that users’ payment card data was not exposed during this incident, and all affected users will be notified during this week.
Web application security experts claim that the data breach was reported last week, notifying the company in a timely manner. Moreover, OnePlus mentions that continuous monitoring has been carried out on its website and internal networks to determine that the incident has ended. Experts consider that, implicitly, OnePlus mentions in its statement that the attackers accessed this information through its website.
In its message, the company also states that, immediately after detecting the incident, appropriate security measures were taken to stop the intrusion and ensure that similar vulnerabilities did not exist; however, other details, such as the number of customers affected, are still unknown. In this regard, OnePlus only republished the same message, adding that the investigation is still ongoing. It is also not known why the company took nearly ten days to disclose the incident.
The FAQ section of the OnePlus website mentions that the biggest risk to affected users is receiving a phishing email or advertising spam. However, web application security experts believe that, due to the large amount of personal details exposed, affected users face much more complex risk scenarios, such as identity theft, spear phishing, fraud telephone, among others.
This is not the first time OnePlus has revealed a computer security incident. In early 2018, the Chinese company revealed that a security breach in its internal networks led to the exposure of data from up to 40,000 customers, including payment card details.
On that occasion, the company assured users and authorities that they would update their security policies and practices for a period of no more than one month, as well as announcing the creation of a rewards program, albeit according to web application security experts from the International Institute of Cyber Security (IICS) has not made any major changes in the protection of its users’ data.