Why OnePlus’s Credit Card Data Breach is Particularly Bad

The other shoe dropped today forOnePlus, who announced they had determined as many as 40,000 customers’ card information had been compromised.

According to the internal investigation, a malicious script was running on one of the company’s payment processing servers and was able to capture customer’s full credit card numbers, expiration dates, and security codes directly from the user’s browser window.

WOW! Most of the time when a credit card is stolen from a merchant’s database, the CVV is not captured because it is against PCI regulations for any merchant or payment processor to store that critical piece of data. Because this script was capturing data directly from the customer’s browser, this had not been purged from the system yet. That CVV is something only you and your bank should know, and it’s the essential element in online (card not present) transactions to verify you have the actual card with you and are not using someone else’s card. With the CVV, a criminal using your card looks exactly like you to the bank1. So yeah, that’s really not good.

This is why new payment methods like Google Pay and Apple Pay are so important. If OnePlus had allowed me to pay with a more secure payment method like those instead, this script would not have been able to do anything.

I don’t own a OnePlus phone, but I did buy my brother an accessory for Christmas last year and I bought it from their store. Faaaantasic.


  1. Hopefully your bank notices an IP address abnormality or something else to trigger a fraudulent transaction, but that’s no guarantee.