For the second time in two years, smartphone maker OnePlus has been the victim of a cyberattack.

Hackers accessed thousands of OnePlus customer data through a vulnerability in the vendor’s website.

The company admitted that hackers had accessed sensitive details including customers’ contact numbers, names and addresses but stressed that no payment information and passwords had been accessed.

They also added that if customers had not received a notification yet, then you will not have been affected. 

However, they did advise users to change their account passwords with a strong password.

In an email to affected customers, OnePlus said: “We took immediate steps to stop the intruder and reinforce security.

“Right now, we are working with the relevant authorities to further investigate this incident and protect your data.”

The breach took place through OnePlus’ online store, rather than its smartphones. OnePlus says hackers gained access to past customer orders.

The Chinese owned firm did not confirm how many customers are affected by the data breach.

However, CERT-In, India’s cybersecurity agency has released an advisory for OnePlus customers in India and claimed that less than 3,000 Indian customers were exposed in the recent security breach.

OnePlus has said that as a result of the latest data breach, it would now be partnering with a “world-renowned security platform” and will launch an official bug bounty program by the end of December. The severity of this breach was rated as “medium.”

The last time OnePlus suffered a data breach was in January last year. More than 40,000 customers had their credit card information stolen by hackers.

At the time, a statement from the company on its community forums explained: “One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.”

The script intermittently captured data before sending it from users’ browser back to the hackers responsible for the attack.

The company took immediate action and quarantined the infected server and reinforced all related security systems.

The company claimed that users who paid using saved credit card information or PayPal were not affected. The people potentially at risk are those who entered new credit card info between mid-November 2017 and 11th January 2018.

Advice to customers

If an email hasn’t landed in your inbox, you can assume your account details haven’t been exposed.

The cyber-security body CERT-In further warned users that they may receive spam and phishing emails as a result of this incident, and it has asked the users to be vigilant.

As with all devices, look out for any signs of any phishing attempts sent to you. These are emails that will try and direct you to a spoof website to get you to enter financial details or other sensitive information.

It also urged users not to open attachments and suggested not to click on a URL links contained in a spam email, even if the link seems genuine.

This is a way for scammers to get hold of your name, email address and other details and the emails usually look professional and from a reputable source.

Make sure you double-check where emailed links are sending you and keep your browser software up to date to minimize your chances of getting caught out.

OnePlus says: “OnePlus will never ask you for your passwords, and any financial information should only be provided via a secure payment page on the OnePlus website or one of our partners if you are buying products from us.”