On November 26, the Indian Computer Emergency Response Team (CERT-In) said (archived here) that it had learnt that fewer than 3,000 Indians were affected by the OnePlus data breach which exposed the name, contact number, email and shipping address of certain users. CERT-In has given this breach a “Medium” rating, and has advised OnePlus users to change their account passwords, and not to open attachments and URLs in “unsolicited” emails. The Economic Times first reported this.

The number of Indians affected from the breach isn’t mentioned in the references that CERT-In has given in the advisory, suggesting that OnePlus provided this information to CERT-In directly.

OnePlus data breach: On November 22, the Chinese phone manufacturer had said that an “unauthorised party” had gained access to the order information of some of its users on its website. While it confirmed that names, contact numbers, email addresses and shipping addresses of its users “may have been” compromised, their “payment information, passwords and accounts are safe”.

  • OnePlus said that it took “immediate steps” to stop the intruder and make sure that there were no similar vulnerabilities in its system. However, as The Verge pointed out, this did not explain why it took the company a week to disclose the data breach.
  • The company said it had reached out to users whose account details might have been compromised to the extent that it told users who haven’t received an email from OnePlus that they would “rest assured” that their information was safe.
  • OnePlus will partner with a security platform next month, and will launch an official bug bounty program by the end of December. OnePlus hasn’t disclosed the name of the security platform that it’ll partner with.

Did OnePlus downplay the breach? OnePlus took a week to disclose the breach, and it is still unclear when exactly it notified CERT-In. As per a November 26 ET report, the company did not reveal if and when it had notified CERT-In of the breach. It only said that it was in the process of shifting its data to Amazon Web Services (AWS) India servers from Singapore. Quoting a legal expert, ET said that not reporting such an issue to CERT-In was an offence for which the company’s top brass could face consequences. CERT-In’s advisory came later that day, which could potentially mean that OnePlus notified the agency of the vulnerability only after media reports related to its non-reporting started to surface. We have reached out to OnePlus for clarification.

  • In an FAQ, the company only said that affected users might receive spam and phishing emails as a result of this incident even though the breach exposed sensitive personal information of people, including their shipping addresses and contact numbers.

OnePlus has been here before:

  • In June 2019, a security flaw in the ‘Shot on OnePlus’ app caused OnePlus to leak the email addresses and other personal information of hundred of its users.
  • In January 2018, OnePlus said that the credit card details of up to 40,000 users of oneplus.net may have been compromised by an attack on one of its systems.
  • In October 2017, a software engineer discovered that OxygenOS – OnePlus’s version of Android – was sending huge amounts of analytics data to the company.