
OnePlus Hit by Data Breach - bbrks
https://forums.oneplus.com/threads/security-notification.1144088/
======
grammarxcore
When I opened the link, I was hit with a modal for a raffle. I understand that
it's the site's normal behavior and there's no way to single out a single
thread (probably), but readers of this thread probably don't want to hand over
data for a raffle.

~~~
thiagomgd
Ironic that a post about data breach asks for your data

------
rvz
> But certain users' name, contact number, email and shipping address may have
> been exposed. Impacted users may receive spam and phishing emails as a
> result of this incident.

Those are personally identifiable information that has been breached. So the
attackers can identify me with my shipping address, email and my name.

Minus One Hundred Thousand from me.

------
kissickas
My information got leaked by OnePlus last year and I got hit with some minor
credit card fraud. At least I didn't get hit this time... One would think that
companies would step up their security after a breach.

~~~
koolba
I bet security breaches for companies are more like heart complications for
humans. Once you’ve been to the hospital once for one, you’re statistically
more likely to have another incident.

------
xhruso00
"We are deeply sorry about this" => we don't care much and we will try to hire
not the cheapest dev around

~~~
undersuit
Everyone hires the cheapest dev... even Silicon Valley giants!

------
po1nter
> We took immediate steps to stop the intruder and reinforce security.

How did they get in? and why wasn't the security "reinforced" in the first
place?

------
snovv_crash
I find it so funny that you have to pay a bank to hold your personal items
safe in a safety deposit box, yet companies left right and center are doing
their best to acquire and hoard giant amounts of sensitive information without
understanding the liability they create for themselves.

My hope is that over the coming decade there is a mental shift, and personal
information becomes seen as a risk rather than a resource.

~~~
BeetleB
The liability for banks for safety deposit items is very low.

[https://blogs.findlaw.com/law_and_life/2019/07/safe-
deposits...](https://blogs.findlaw.com/law_and_life/2019/07/safe-deposits-not-
so-safe4.html)

------
maximente
i get that use of the passive voice makes things more PR friendly, but the
cynic in me feels that these should really be in the active voice:

\- Intruders breached OnePlus systems

\- On X date, unauthorized intruders accessed data in our systems

etc.

~~~
frenchyatwork
I'm not sure I agree. The purpose of the passive voice is to promote or bring
into focus the object or "patient" argument. In this case, the topic is really
OnePlus' systems the fact that its security was compromized. The identity and
nature intruders is not the focus and is probably not even known, so the
passive voice makes sense.

------
bassman9000
[https://www.engadget.com/2017/10/11/oneplus-oxygenos-data-
an...](https://www.engadget.com/2017/10/11/oneplus-oxygenos-data-anonymity/)

[https://www.theverge.com/circuitbreaker/2017/10/11/16457954/...](https://www.theverge.com/circuitbreaker/2017/10/11/16457954/oneplus-
phones-collecting-sensitive-data)

~~~
away_throw
The great thing about OnePlus phones is that nearly all of them have LineageOS
support. I just install this over OxygenOS. Also when I installed OxygenOS, I
recall it asking if I wanted to provide analytics to them in the setup
process.

------
unlinked_dll
I get that data breaches are their own class of problem, but I do find it
ironic that people gave their contact/sales info to a company headquartered in
Shenzen and have any expectation of data protection/privacy.

~~~
cdmckay
Because American companies definitely don’t sell your data.

~~~
vdnkh
Whataboutism

~~~
tanilama
We need it.

------
kabes
Ok, the breach shouldn't have been possible. But at least, when a breach does
happen, this is a good example of how a company should communicate. First
assessing who/what has been impacted, informing affected customers and a clear
(could use some more detail) public statement. Of course, some laws like GDPR
force them to do this, but in reality we still see enough big corporations
handle this way worse on an almost daily basis.

~~~
outworlder
As an example of an initial notification, maybe. However, that has to be
followed up with a full post mortem. I see zero information about what
happened or what steps are being taken.

~~~
undersuit
They're still figuring that all out. The second post in the thread is about
all they know probably. I only got my email about the breach an hour before
the post was made.

------
waterdownship
Lessons:

1\. Use pseudo name (nickname) for shipping, instead of full name

2\. Use company address instead of home one whenever possible

Just think about how many people have to access your shipping data just to
deliver an order to you, the online shop, the shipping company, the warehouse,
the delivery guy.

It kind of hard to imagine all of them would have perfect bank-level security.

~~~
maxerickson
Most people don't treat their address as sensitive information.

Many publicly accessible government records have address information.

------
neiman
"The name, contact number, email and shipping address within certain orders
may have been exposed."

I really hate that most companies _force_ me to give a phone number when I buy
something. Why do they need it? Why forcing? I usually end up giving a fake
one.

~~~
pera
I believe small vendors need it to verify that you really are the owner of the
CC (it's a requirement of the processor).

~~~
clintonb
Phone numbers are not required for credit card processing. Address, yes.
Phone, no.

~~~
poxrud
Address is also not a requirement.

~~~
trollied
But it can be if you require. Billing address verification can be important
for higher value transactions. Some sites won't ship to an address other than
the billing address.

------
ktm5j
FAQ from the article has some good info if anyone missed it:
[https://www.oneplus.com/support/faq22119102](https://www.oneplus.com/support/faq22119102)

------
undersuit
Well darn, I just bought a OnePlus 7 Pro, checked my email, it's shipped! And
I'm part of the data breach. :(

~~~
undersuit
Content of email: Security Notification

We are reaching out to you directly as we have discovered that part of your
order information was accessed by an unauthorized party. We can confirm that
your payment information, password and account are safe, but your name,
contact number, email and shipping address may have been exposed.

We took immediate steps to stop the intruder and reinforce security. Right
now, we are working with the relevant authorities to further investigate this
incident and protect your data.

We wanted to notify you of this so that you can be alert to people pretending
to be OnePlus to get further information from you, or people asking you to buy
products or services from them. OnePlus will never ask you for your passwords,
and any financial information should only be provided via a secure payment
page on the OnePlus website or one of our partners if you are buying products
from us.

We are deeply sorry about this, and are committed to doing everything in our
power to prevent further such incidents. We will continue to investigate and
update you as we learn more. In the meantime, please contact us with any
questions or concerns at Customer Support.

------
heyflyguy
Basically all of our stuff is already out there. Is lifelock of any help?

~~~
dboreham
Nope. Never was any help.

------
unethical_ban
This was released a day or two after T-Mobile. Hmm...

