Cyber Incident Victim: OnePlus

The OnePlus data breach occurred around November 15, 2019, and was promptly detected by the company. Attackers exploited a vulnerability in the smartphone manufacturer's online store website, gaining unauthorized access to historical customer order records. The compromised data included customer names, contact numbers, email addresses, and shipping information, though payment details and account credentials remained unaffected. OnePlus initiated an internal investigation immediately upon discovery and conducted a comprehensive security review of its web infrastructure to identify similar vulnerabilities. The company delayed public disclosure until November 22, 2019, after first notifying affected customers directly via email about the exposure of their personal information.

This incident marked the second major security breach for OnePlus within two years, following a January 2018 breach that compromised data belonging to approximately 40,000 customers. In response to the 2019 breach, OnePlus collaborated with law enforcement agencies to investigate the attack while implementing unspecified security enhancements to its online systems. The company announced plans to establish formal security partnerships with a prominent cybersecurity platform within the following month and committed to launching an official bug bounty program by December 2019. The breach coincided with a separate security incident disclosed by T-Mobile US affecting a limited number of customer accounts, though no operational connection between the two events was established. OnePlus maintained that no financial data was accessed but provided no specific details regarding the number of impacted users or the exact nature of the website vulnerability exploited in the attack.