OnePlus accidentally exposes customer data – a second time OnePlus Z Leaks

Amidst all the euphoria of the launch of the OnePlus Nord which marks the company’s return to the mid-tier models, the Chinese smartphone maker has suffered two security bloopers within just a month, the last one resulting in sharing customer emails across a wide spectrum. 

A report in Android Police said OnePlus sent out a mass mailer to customers as part of a study earlier today but ended up copy-pasting hundreds of email addresses in the “To” field, totally missing out the functionality of the BCC field. This resulted in all recipients of the research email receiving hundreds of customer email addresses. Quite a faux pas that! 

The report said the email possibly contained a UX survey around the OnePlus and reached only those in the United States (yet again). 

A history of security breaches

Late last month, OnePlus faced another security challenge when its out-of-warranty repair and advance exchanging invoice system exposed customer details such as names, phone details, email addresses, IMEI numbers and physical addresses. The breach only impacted customers in the United States and was promptly fixed. This was once again brought to fore by Android Police

Compared to these breaches, the latest one can be termed as minor though it does expose chinks in the OnePlus processes. The company had confirmed early in 2018 that the credit card info of 40,000 customers had been compromised. It had stated that this theft of information happened over the course of two months, starting in November of 2017.

The company had responded then by temporarily disabling credit card payments while advising affected customers to monitor their bank statements. It also offered a year’s worth of free credit reporting to customers whose data was breached. 

Another data breach occurred last November when OnePlus was a victim of a hacking incident that exposed customer names, email addresses and shipping addresses. However, once again the company stepped up its act and informed customers that their payment data and passwords weren’t exposed or accessed by third parties. 

Nothing really to worry about

The latest incident occurred earlier today though Android Police said they couldn’t verify the exact number of people whose data was included in the leak, but described it as “fairly minor” as the data had only reached others on the mail thread. The report quoted an unnamed person to suggest that “hundreds of email addresses” were present in the mail. 

These instances are reasonably common with media agencies who dish out press releases to journalists before someone on the list notices it, responds by bringing it to the notice of the PR company, and then watches the fun as everyone else on the mail starts expanding the trail with similar responses. 

(Via) Android Police

social experiment by Livio Acerbo #greengroundit #techradar