OnePlus is reporting the second breach of customer data in as many years. A member of the security team informed customers of the breach on the company’s support forums.
According to the statement, some “users’ order information was accessed by an unauthorized party. We can confirm that all payment information, passwords and accounts are safe, but certain users’ name, contact number, email and shipping address may have been exposed. Impacted users may receive spam and phishing emails as a result of this incident.”
OnePlus says immediate action was taken to stop the intrusion and shore up security, but questions remain. In a related FAQ, the company says the breach occurred last week, but there is no explanation as to why it took a week to make an announcement. Similarly, the company does not definitively say where the breach occurred, although the wording of the announcement and the FAQ seem to indicate it happened via their website rather than through a flaw in their phones. Perhaps most significantly, OnePlus did not return requests by The Verge for information on exactly how many users were impacted.
The company did say that affected users were notified before the public announcement. If customers have not received any notification, it’s a safe bet their information was not part of the breach.