Reports earlier this week that credit card data was being intercepted on the OnePlus website has been confirmed by the company, with the affected users totaling around 40,000.
Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
Although, the security breach will certainly impact on the reputation of the company yet OnePlus is applying several remedies to get out of the situation.
While the investigation into potential culprits is still ongoing, and while a spokesperson insists only one server was affected, OnePlus has said, "We can not apologize enough for letting something like this happen".
As an apology, OnePlus says it's looking for "a suitable way to offer one year's credit monitoring to affected users".
Within the email, the Chinese company urged customers to check their accounts for unrecognised charges. As it turns out, there was an attack on the OnePlus website involving a malicious script injected into the payments page code.
Anyone who had submitted those card details before mid-November or after 11 January or who used a different payment method, such as Paypal, would not have been caught out.
"The malicious script operated intermittently, capturing and sending data directly from the user's browser", OnePlus admitted. "We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down", OnePlus said.
OnePlus is now working with local authorities to get the to bottom on the data breach. OnePlus says it is working to implement a more secure credit card payment method before it re-enables them.
For the time being, credit card transactions on OnePlus.net will remain suspended until the company completes its investigation. "All these measures will help us prevent such incidents from happening in the future", the company said. Payment cards already saved on the site and transactions via PayPal are thought to be unaffected.
While security can never be full-proof, this is a massive red flag for the company and why using an intermediary like PayPal is always a safer option than plugging your card details directly onto any site.