When I opened the link, I was hit with a modal for a raffle. I understand that it's the site's normal behavior and there's no way to single out a single thread (probably), but readers of this thread probably don't want to hand over data for a raffle.
> But certain users' name, contact number, email and shipping address may have been exposed. Impacted users may receive spam and phishing emails as a result of this incident.
Those are personally identifiable information that has been breached. So the attackers can identify me with my shipping address, email and my name.
My information got leaked by OnePlus last year and I got hit with some minor credit card fraud. At least I didn't get hit this time... One would think that companies would step up their security after a breach.
I bet security breaches for companies are more like heart complications for humans. Once you’ve been to the hospital once for one, you’re statistically more likely to have another incident.
I find it so funny that you have to pay a bank to hold your personal items safe in a safety deposit box, yet companies left right and center are doing their best to acquire and hoard giant amounts of sensitive information without understanding the liability they create for themselves.
My hope is that over the coming decade there is a mental shift, and personal information becomes seen as a risk rather than a resource.
I'm not sure I agree. The purpose of the passive voice is to promote or bring into focus the object or "patient" argument. In this case, the topic is really OnePlus' systems the fact that its security was compromized. The identity and nature intruders is not the focus and is probably not even known, so the passive voice makes sense.
The great thing about OnePlus phones is that nearly all of them have LineageOS support. I just install this over OxygenOS. Also when I installed OxygenOS, I recall it asking if I wanted to provide analytics to them in the setup process.
I get that data breaches are their own class of problem, but I do find it ironic that people gave their contact/sales info to a company headquartered in Shenzen and have any expectation of data protection/privacy.
To say American and Chinese companies are operating on the same part of the spectrum shows how ignorant your comment is. Fwiw, the Chinese govt might have access to all the data on your OnePlus phone and you won't have any idea about it.
American system is driven by rule of laws. Legislature and Judiciary are two independent branches. It is not like China where Executive says something and then Judiciary is scared to act against it because, tomorrow, they may end up in a training camp.
Ok, the breach shouldn't have been possible. But at least, when a breach does happen, this is a good example of how a company should communicate. First assessing who/what has been impacted, informing affected customers and a clear (could use some more detail) public statement. Of course, some laws like GDPR force them to do this, but in reality we still see enough big corporations handle this way worse on an almost daily basis.
As an example of an initial notification, maybe. However, that has to be followed up with a full post mortem. I see zero information about what happened or what steps are being taken.
They're still figuring that all out. The second post in the thread is about all they know probably. I only got my email about the breach an hour before the post was made.
1. Use pseudo name (nickname) for shipping, instead of full name
2. Use company address instead of home one whenever possible
Just think about how many people have to access your shipping data just to deliver an order to you, the online shop, the shipping company, the warehouse, the delivery guy.
It kind of hard to imagine all of them would have perfect bank-level security.
This is why I pay for a USPS box every year without batting an eyelid. They also provide a physical address for vendors that demand that, presumably because they exclusively use UPS or Fedex - works fine.
"The name, contact number, email and shipping address within certain orders may have been exposed."
I really hate that most companies force me to give a phone number when I buy something. Why do they need it? Why forcing? I usually end up giving a fake one.
But it can be if you require. Billing address verification can be important for higher value transactions. Some sites won't ship to an address other than the billing address.
We are reaching out to you directly as we have discovered that part of your order information was accessed by an unauthorized party. We can confirm that your payment information, password and account are safe, but your name, contact number, email and shipping address may have been exposed.
We took immediate steps to stop the intruder and reinforce security. Right now, we are working with the relevant authorities to further investigate this incident and protect your data.
We wanted to notify you of this so that you can be alert to people pretending to be OnePlus to get further information from you, or people asking you to buy products or services from them. OnePlus will never ask you for your passwords, and any financial information should only be provided via a secure payment page on the OnePlus website or one of our partners if you are buying products from us.
We are deeply sorry about this, and are committed to doing everything in our power to prevent further such incidents. We will continue to investigate and update you as we learn more. In the meantime, please contact us with any questions or concerns at Customer Support.
