52 comments

[ 3.1 ms ] story [ 119 ms ] thread
Ok, the breach shouldn't have been possible. But at least, when a breach does happen, this is a good example of how a company should communicate. First assessing who/what has been impacted, informing affected customers and a clear (could use some more detail) public statement. Of course, some laws like GDPR force them to do this, but in reality we still see enough big corporations handle this way worse on an almost daily basis.
As an example of an initial notification, maybe. However, that has to be followed up with a full post mortem. I see zero information about what happened or what steps are being taken.
They're still figuring that all out. The second post in the thread is about all they know probably. I only got my email about the breach an hour before the post was made.
Got an email this morning
i get that use of the passive voice makes things more PR friendly, but the cynic in me feels that these should really be in the active voice:

- Intruders breached OnePlus systems

- On X date, unauthorized intruders accessed data in our systems

etc.

I'm not sure I agree. The purpose of the passive voice is to promote or bring into focus the object or "patient" argument. In this case, the topic is really OnePlus' systems the fact that its security was compromized. The identity and nature intruders is not the focus and is probably not even known, so the passive voice makes sense.
When I opened the link, I was hit with a modal for a raffle. I understand that it's the site's normal behavior and there's no way to single out a single thread (probably), but readers of this thread probably don't want to hand over data for a raffle.
Ironic that a post about data breach asks for your data
"Impeachment" Is A Diversion And A Delay: President of the United States, Donald J. Trump, raped and killed 15 boys in Buffalo, NY on 10Jan2019. Complete and uncut audio of it all, along with Pelosi, Obama, and Schumer's direct involvement. 295+ boys die here in Jan2019 from high profile rapists

\\Full and uncut audio from 10th January 2019. Download the mp3 file, put on head phones, and turn the volume all the way up.

    10JanCh3_1255 -1557.mp3
https://drive.google.com/file/d/18lTt_YKFEtsV6YDNzXFVQYLkStY...

\\Previously reported: This is audio of the President, Donald Trump, demanding a four billion dollar bribe from child rapists to “take a blind eye” on January 3rd, 2019. Trump becomes one on January 14th, 2019. Also, this is the big reason the major networks do not report any of it. (Media moguls are in on it also)

//Download the video, turn the volume all the way up and put head phones on. Note: there is not much to see in the video, the audio is picked up from another [illegal surveillance] system. Trump is on a call from with Henry Porter and Gigi Hadid. See page 63. Bribe demand at 10:18am:

    3JanCh3_900 -1100.avi
https://drive.google.com/file/d/1Grdr8xF2psKNsuYlEnl9dIRV-77...

//President of the United States, Donald Trump, rapes and kills his first boy at 6:32am. Video link below:

    14JanCh3_600avi
https://drive.google.com/file/d/154QvA5hwyHGYIVXtod1ZbsOHFUJ...

    14JanCh2_600 -700.avi
https://drive.google.com/file/d/19UkqmnMwZiWy7xxWngltqwoKLTJ...

//On January 18th, 2019 at 8:31am (see page 8) Trump acknowledges the FOUR billion dollar bribe and says: "Let's get it done and get to fucking some kids." Video link below:

    18JanCh3_725-.avi
https://drive.google.com/file/d/1bVTcGq5Z9oOSAiOQcKYrmuK4Two...

//The major reason this has not been reported by the major news networks is right here. Lester Holt of NBC Nightly News, apparently a member of the Illuminati since the 1980's, along with ABC Nightly News lead anchor David Muir, stop over to the Porter studio in Buffalo on January 14th, 2019 at 5:00 am. They both rape and kill about two dozen boys by 6:00 am. David Muir starts around 5:12 am, then Holt about 5:36 am. Multi-billionaire Rupert Murdoch, owner of News Corp & Fox Corporation, takes his turn after Holt. Video links below:

    14JanCh3_500- 601.avi
https://drive.google.com/file/d/1i7NKepeyG_FfdQRrM7KsnFOZOOX...

    14JanCh2_530 -600.avi
https://drive.google.com/file/d/1NZzgN5ilI7ToroU5cfqMaL4o2u1...

\\Adding to the (media protection) reason this is not picked up by the media, CBS and Viacom owner Sumner Redstone and Leslie Moonves rape and kill several boys following ...

My information got leaked by OnePlus last year and I got hit with some minor credit card fraud. At least I didn't get hit this time... One would think that companies would step up their security after a breach.
I bet security breaches for companies are more like heart complications for humans. Once you’ve been to the hospital once for one, you’re statistically more likely to have another incident.
> But certain users' name, contact number, email and shipping address may have been exposed. Impacted users may receive spam and phishing emails as a result of this incident.

Those are personally identifiable information that has been breached. So the attackers can identify me with my shipping address, email and my name.

Minus One Hundred Thousand from me.

This was released a day or two after T-Mobile. Hmm...
> We took immediate steps to stop the intruder and reinforce security.

How did they get in? and why wasn't the security "reinforced" in the first place?

I get that data breaches are their own class of problem, but I do find it ironic that people gave their contact/sales info to a company headquartered in Shenzen and have any expectation of data protection/privacy.
Because American companies definitely don’t sell your data.
Yeah, we datamine it to hell and use it to profile you to sell you more things!
Nobody said they didn’t?
(comment deleted)
Whataboutism
Not really whataboutism if you’re trying to choose between companies as a consumer.
Is this an argument? Can people be weary of companies in two countries or do they just have to pick one?
To say American and Chinese companies are operating on the same part of the spectrum shows how ignorant your comment is. Fwiw, the Chinese govt might have access to all the data on your OnePlus phone and you won't have any idea about it.

American system is driven by rule of laws. Legislature and Judiciary are two independent branches. It is not like China where Executive says something and then Judiciary is scared to act against it because, tomorrow, they may end up in a training camp.

"The name, contact number, email and shipping address within certain orders may have been exposed."

I really hate that most companies force me to give a phone number when I buy something. Why do they need it? Why forcing? I usually end up giving a fake one.

I believe small vendors need it to verify that you really are the owner of the CC (it's a requirement of the processor).
Phone numbers are not required for credit card processing. Address, yes. Phone, no.
Address is also not a requirement.
But it can be if you require. Billing address verification can be important for higher value transactions. Some sites won't ship to an address other than the billing address.
Ah yeah I think you are correct, AVS is sometimes required. Sorry for the confusion.
(comment deleted)
Some shippers require it for delivery of expensive goods, especially if you're insuring those deliveries.
Delivery by courier (FedEx, Purolator, etc) often requires a "contact number" for the recipient.
Well darn, I just bought a OnePlus 7 Pro, checked my email, it's shipped! And I'm part of the data breach. :(
Content of email: Security Notification

We are reaching out to you directly as we have discovered that part of your order information was accessed by an unauthorized party. We can confirm that your payment information, password and account are safe, but your name, contact number, email and shipping address may have been exposed.

We took immediate steps to stop the intruder and reinforce security. Right now, we are working with the relevant authorities to further investigate this incident and protect your data.

We wanted to notify you of this so that you can be alert to people pretending to be OnePlus to get further information from you, or people asking you to buy products or services from them. OnePlus will never ask you for your passwords, and any financial information should only be provided via a secure payment page on the OnePlus website or one of our partners if you are buying products from us.

We are deeply sorry about this, and are committed to doing everything in our power to prevent further such incidents. We will continue to investigate and update you as we learn more. In the meantime, please contact us with any questions or concerns at Customer Support.

Garbage phone, garbage company. What do you expect?
"We are deeply sorry about this" => we don't care much and we will try to hire not the cheapest dev around
Everyone hires the cheapest dev... even Silicon Valley giants!
Basically all of our stuff is already out there. Is lifelock of any help?
I find it so funny that you have to pay a bank to hold your personal items safe in a safety deposit box, yet companies left right and center are doing their best to acquire and hoard giant amounts of sensitive information without understanding the liability they create for themselves.

My hope is that over the coming decade there is a mental shift, and personal information becomes seen as a risk rather than a resource.

GDPR is slowly having this effect in Europe.
Lessons:

1. Use pseudo name (nickname) for shipping, instead of full name

2. Use company address instead of home one whenever possible

Just think about how many people have to access your shipping data just to deliver an order to you, the online shop, the shipping company, the warehouse, the delivery guy.

It kind of hard to imagine all of them would have perfect bank-level security.

Most people don't treat their address as sensitive information.

Many publicly accessible government records have address information.

Post office boxes exist for this reason.
This is why I pay for a USPS box every year without batting an eyelid. They also provide a physical address for vendors that demand that, presumably because they exclusively use UPS or Fedex - works fine.