In an updated post on the official forum, OnePlus has today confirmed the previously reported data breach in which users’ credit card info was suspected to be stolen from the company’s website.

We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at may be affected by the incident. We have sent out an email to all possibly affected users.

OnePlus says that the attackers injected malicious code into their website, which then read the credit card info that customers were entering while making a payment. Only customers who entered their credit card numbers directly on the OnePlus website between November 2017 and January 11, 2018 are affected, i.e. customers who used an existing ‘saved’ credit card, and users who checked out using PayPal are unaffected.

Props to the company for being transparent about the hack and laying it out so well on the forums.