Between mid-November 2017 and January 11 hackers were able to harvest and steal credit card data due to a loophole in OnePlus' online payment system.
Upon discovering the breach the smartphone manufacturer was forced to stop taking card payments via its site earlier last week.
A malicious code was inserted into the company's payment page, which operated intermittently, and captured and sent data directly from users' web browsers.
The script is thought to have harvested around 40,000 credit card details, including card numbers, expiry dates, and security codes.
OnePlus is currently carrying out an investigation and does not yet know whether the hack happened remotely or if the hacker(s) had physical access to the server in order to install the script.
What happens next?
The company has removed the malicious code, quarantined the infected server and has reinforced its security on "all relevant system structures."
Although credit card payments remain down, the company still accepts payments through PayPal.
Despite the hack, it has been noted that the company's fanbase has remained loyal and the hack shouldn't affect its future push towards the US.
OnePlus remains lucky that the hack was carried out before GDPR is enforced throughout the EU.