OnePlus has disclosed a security issue in its out of warranty repairs system that would have allowed third parties access to some sensitive user data, reports Android Police.
The security issue was found in OnePlus’s out-of-warranty repair invoicing systems. It affected a small number of U.S. customers. This data would have included things like order numbers, phone model, IMEI. order date, name, address, phone number, email address, and repair cost. OnePlus says that no credit card details were exposed.
Join our OnePlus channel on Telegram:
In a statement given to Android Police, OnePlus clarified the issue, saying:
“On July 2, a vulnerability was fixed on the website of our U.S. repair service provider. OnePlus customers in the U.S. who were required to pay for out-of-warranty repairs or those who chose to use our recently launched warranty exchange program were sent a unique third-party link to process their payment. From the time the payment link was generated and emailed to the customer, until the time the payment information was submitted, that customer’s name, shipping address, email address, device model and IMEI were visible at the link. As soon as a user’s payment information was submitted, the link immediately became inactive. To further secure this process, an additional verification step will be required starting early next week.
After thorough investigation together with our vendor, we have found no evidence of any purposeful attempts to access these URLs.
In addition, no credit card details or payment information of any kind was ever accessible.
User privacy is a top priority for OnePlus, and we apologize for any concerns that this might cause. We have made significant security enhancements on our own platforms in recent years and are diligently working to further improve. We are also already improving our internal processes to more quickly respond to external vulnerabilities, and will more closely engage our third-party vendors to better ensure security on their platforms.”