OnePlus.net è stato violato: a rischio di frode 40.000 clienti

Nicola Ligas -

Il sospetto circolava già da giorni, ma oggi arriva la conferma ufficiale: lo store di OnePlus è stato attaccato, e perciò fino a 40.000 utenti potrebbero essere a rischio frode sulla propria carta di credito. OnePlus afferma di aver già inviato una relativa email a tutti i clienti interessati, ma vediamo con ordine come sono andate le cose.

Cosa è successo

Uno dei server di OnePlus è stato violato ed uno script malevolo inserito al suo interno. Tale script operava in modo intermittente, catturando i dati direttamente dal browser degli utenti ed inviandoli agli attaccanti. Lo script è stato eliminato. Il server infettato è stato messo in quarantena e tutte le strutture rilevanti del sistema sono state rinforzate.

Chi è stato colpito

Gli utenti che abbiano inserito (notate il neretto) i dati della propria carta di credito su oneplus.net tra metà novembre 2017 e l’11 gennaio 2018 potrebbero essere stati compromessi.

Gli utenti che abbiano pagato attraverso una carta di credito già memorizzata in precedenza non dovrebbero (notate il condizionale) essere affetti. Allo stesso modo dovrebbero essere al sicuro coloro che avessero pagato tramite PayPal o con “carta di credito via PayPal”.

Ribadiamo che gli utenti interessati dovrebbero essere già stati contattati da OnePlus, quindi se non aveste ricevuto alcuna comunicazione dovreste essere relativamente al sicuro. Controllate bene anche nella cartella spam, onde evitare brutte sorprese. Invitiamo comunque tutti coloro che avessero effettuato acquisti su OnePlus.net in tale periodo a verificare attentamente le transazioni della propria carta di credito.

Cosa possono fare le vittime

Nel caso doveste rilevare delle transazioni non autorizzate da voi, contattate subito la vostra banca e/o l’emittente della vostra carta di credito per avviare le pratiche di rimborso e denuncia. Potete anche raggiungere il supporto di OnePlus all’indirizzo https://oneplus.net/support, ma in ogni caso non sono loro che devono provvedere a questo.

Se in generale doveste rilevare qualsiasi vulnerabilità, segnalatela a security@oneplus.net.

Cosa sta facendo OnePlus

A parte scusarsi profondamente con i suoi clienti e ringraziare la comunità, OnePlus è in contatto con i clienti potenzialmente interessati e con i provider e le autorità locali per risolvere questo “incidente”. OnePlus sta lavorando anche con l’attuale partner per i pagamenti per implementare un nuovo e più sicuro metodo di pagamento via carta di credito, oltre a condurre indagini approfondite. Tutto questo dovrebbe impedire ad incidenti simili di ripetersi in futuro. Ed ovviamente è ciò che ci auguriamo.

Il testo dell’email inviata ai clienti colpiti

Riportiamo di seguito (via Reddit) il testo dell’email che OnePlus ha inviato ai clienti affetti dal possibile furto di dati. Controllate la vostra casella di posta, anche in spam, se pensaste di poter essere tra loro. Bene o male comunque il testo dell’email non dice niente di diverso da quanto avessimo già riportato qui sopra.

Dear XXX,

We were recently involved in a security incident potentially affecting personal information relating to you. This notice describes what we know so far, steps we have taken in response to the incident, and actions you may wish to take to protect yourself.

We are working to provide potentially affected customers a year of free credit monitoring, where it’s available. This service means you can quickly and easily check as well as receive alerts about any changes to your credit history. Please register your interest via the following link: https://oneplus.net/claim.

What Happened

On January 11, 2018, we were notified of several credit card fraud cases possibly related to purchases made at OnePlus.net. We promptly took steps to investigate the situation, and ultimately determined that an unknown attacker had injected a malicious script into the payment processing page of our website to intermittently capture credit card information as it was being entered. We immediately quarantined the affected server, reinforced our systems, and disabled credit card payments for good measure.

What Information Was Involved

We believe that personal information relating to you, including your credit/debit card number, credit/debit card expiration date, and CVV/CSC number, may have been compromised during the incident. As noted above, the malicious script appears to have only intermittently captured customer information, so we cannot confirm that your data was compromised. However, out of an abundance of caution, we are providing this notice to all customers that submitted their credit card data on our online store during the window of time in which the malicious script is believed to have been active.

What We Are Doing

Your privacy and data security are extremely important to us. We regularly review and enhance the OnePlus IT and cybersecurity systems and processes. In addition to investigating the incident, we have engaged an expert cybersecurity firm to assist with reinforcing the security of our systems. We also thoroughly reviewed and confirmed the security of the affected webpage before reinstating credit card payments for our website. We have also reported the incident to Hong Kong law enforcement.

We are also taking steps to notify each individual whose personal information was potentially affected by this incident. We will continue to take appropriate steps to minimize the risk of future cybersecurity incidents.

What You Can Do

As a general rule, we recommend that you remain vigilant about your personal information by regularly reviewing your financial account statements and periodically checking your credit report. Every individual, whether or not their data has been involved in a security breach, can receive one free credit report every twelve months from each of the three nationwide credit reporting agencies:

Equifax 800.525.6285 P.O. Box 740241 Atlanta, GA 30374 www.equifax.com

Experian 888.397.3742 P.O. Box 9532 Allen, TX 75013 www.experian.com

TransUnion 800.680.7289 Fraud Victim Assistance Division P.O. Box 6790 Fullerton, CA 92834 www.transunion.com

Review the reports carefully for inquiries from companies you did not contact, accounts you did not open, and debts that you cannot explain. Verify the accuracy of your complete name, Social Security number, address(es), and employer(s). Notify the three consumer reporting agencies about any inaccuracies and promptly report any suspicious activity or suspected identity theft to proper law enforcement authorities, including local law enforcement, your state’s attorney general, or the Federal Trade Commission (“FTC”). If you make a report to law enforcement, make sure to request a copy of the police report, as you may need to provide copies to creditors to clear up your records. In addition, you may request that the Internal Revenue Service (IRS) mark your account to identify any questionable activity by submitting Form 14039, “Identity Theft Affidavit,” for actual or potential identity theft victims. This form is available at https://www.irs.gov/pub/irs-pdf/f14039.pdf.

You may wish to add a fraud alert to your credit report file to make it more difficult for someone to get credit in your name. A fraud alert is a consumer statement added to your credit report. This statement alerts creditors of possible fraudulent activity within your report as well as requests that they contact you prior to establishing any accounts in your name. Once the fraud alert is added to your credit report, all creditors should contact you prior to establishing any account in your name. To place a fraud alert on your file, contact one of the three nationwide credit reporting agencies at the contact information provided above. The first agency that processes your fraud alert will notify the others to do so as well. Please be aware that a fraud alert may delay your ability to obtain credit.

You may also add a security freeze to your credit report file to prohibit a credit reporting agency from releasing information from your credit report without your prior written authorization. To place a security freeze (also known as a “credit freeze”), contact the three credit reporting agencies at the contact information provided above. Unlike a fraud alert, you must separately place a credit freeze on your credit file at each credit reporting agency. Please be aware that using a security freeze may interfere with or delay your ability to obtain credit. You may also incur fees to place, lift, and/or remove a security freeze, which generally range from $5-20 per action.

Be vigilant against phishing attacks. Some criminals may use your personal information to contact you posing as a reputable source to try and trick you into providing confidential information (commonly called “phishing”). For example, they might call you or email you pretending to be a trusted party and ask you to confirm sensitive personal information, such as your social security number or financial account information. Please know that we will never ask you to confirm any sensitive personal information by email or over an unsolicited phone call. If you do happen to be contacted with such a request, it is not from OnePlus, and you should not provide any personal information. For more information on phishing and on how to avoid being a victim of phishing, please see https://www.us-cert.gov/ncas/tips/ST04-014.

For more information about fraud alerts, security freezes, and avoiding identity theft, you can contact any of the three credit reporting agencies (contact information above), your state’s regulatory authority, or the FTC (contact information below).

Federal Trade Commission Consumer Response Center 600 Pennsylvania Avenue NW Washington, DC 20580 1.877.IDTHEFT (438.4338) www.ftc.gov/idtheft

For More Information

We truly regret any inconvenience this incident causes you. If you have any questions, please contact us using the contact information provided below or by calling +1 (858) 609-6590 during 4am-10pm EDT.

Sincerely, The OnePlus Team

Fonte: OnePlus (forum)