CERT-In, India’s nodal agency for cybersecurity Tuesday late night issued an advisory for OnePlus smartphone users in the country asking them to change their account passwords. In its advisory, the agency said that ‘less than 3,000 Indian customers’ orders were exposed during the recent global system breach.
“The kind of information exposed such as name, address, email can be abused to impersonate as victim and gain access to other accounts. Even though OnePlus has claimed that password data was not accessed, users are still advised to change their passwords with a strong password,” the cybersecurity agency said in its advisory with ‘medium’ severity rating.
In its advisory, the agency said that OnePlus has clarified that no payment card, bank account details or password breached and has stated that all affected users have already been notified by email.
OnePlus, which is still in the process of shifting its data to Amazon Web Services (AWS) India servers from Singapore, had faced a data security breach in 2018 as well where over 40,000 customers were affected, resulting in the exposure of bank card details.
OnePlus recently cemented its premium leadership in the July-September quarter with 35% market share, growing 95% on year, as per Counterpoint Research’s third-quarter data.
A query sent to OnePlus remained unanswered till press time. OnePlus, however, on Monday said that it was working with relevant authorities to further investigate the system breach.
CERT-In informed users of OnePlus smartphones in India that may receive spam and phishing emails as a result of this incident, thereby “they need to stay alert against these kinds of mails.”
The incident follows the recent WhatsApp snooping incident, where at least two dozen Indian journalists, activists, lawyers and academics were targeted for surveillance. The Indian breach was reported after WhatsApp sued NSO Group, accusing it of helping break into the phones of 1,400 users across four continents.
The agency further advised users to not click on any attached or URL contained in an unsolicited email, even if the link seems benign.
Cyberlaw expert Pavan Duggal said that users will have to start incorporating cybersecurity as the way of life, and will have to be careful and exercise due diligence.
“If any user finds the data is gone, then he/she can sue the company for unlimited damages under Section 43A of the IT Act. Also, the user can file criminal charges against the company because when the user gives the data, the law requires intermediary to hold the data in trust,” Duggal added.