1. What happened
One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
We have quarantined the infected server and reinforced all relevant system structures.
2. Who's affected
Some users who entered their credit card info on oneplus.net between mid-November 2017 and January 11, 2018, may be affected.
Credit card info (card numbers, expiry dates and security codes) entered at oneplus.net during this period may be compromised.
Users who paid via a saved credit card should NOT be affected.
Users who paid via the "Credit Card via PayPal" method should NOT be affected.
Users who paid via PayPal should NOT be affected.
We have contacted potentially affected users via email.
Source: [Jan 19 Update] An Update on Credit Card Security – OnePlus Forums