In a blog post, the company said one of its systems was attacked and a malicious script injected into the code of the payment page to sniff out credit card details as they were being entered.
The fact that a hack may have taken place was brought to light by the British security outfit Fidus Infosecurity on 15 January. As iTWire reported, the firm provided a detailed rundown of the possible avenue of exploitation.
When iTWire contacted OnePlus, the company denied that its systems had been breached.
As to who could have been affected, OnePlus said anyone who entered credit card details on its site between mid-November 2017 — no specific date was mentioned — and 11 January 2018 could have had those details stolen.
"Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised," the company, adding that users who paid using a saved credit card, those who paid via the credit card via PayPal method and those who paid via PayPal should not be affected.
"We recommend that you check your card statements and report any charges you don’t recognise to your bank. They will help you initiate a chargeback and prevent any financial loss," OnePlus said.
"For inquiries, please get in touch with our support team at https://oneplus.net/support. If you notice any potential system vulnerabilities, please report them to [email protected] This is a monitored inbox, but please note, we may not be able to respond to all reports."
Fidus Infosecurity has been contacted for its take on the OnePlus backdown.