A OnePlus spokesperson has officially confirmed a card breach incident affecting its online store, about which rumors started circulating online earlier in the week.
The smartphone manufacturer is now in the midst of sending affected customers notification emails regarding the incident.
In the email, and in a statement posted on its forum, OnePlus says the cause of the incident is a malicious script that was injected on its online store.
"The malicious script operated intermittently, capturing and sending data directly from the user's browser," OnePlus admitted. "It has since been eliminated."
"We have quarantined the infected server and reinforced all relevant system structures," the company added.
OnePlus estimated the number of affected customers at 40,000, and said that all people they believe to be expected would receive a notification email.
Only users who entered their payment card details on the OnePlus store between mid-November 2017 and January 11, 2018, are affected, the company said.
Customers who bought products via PayPal, or had saved payment card details in their OnePlus store account were not affected, as they did not have to type in any details on the site.
Rumors about the card breach broke earlier this week when some news publications reported about disgruntled users complaining about fraudulent transactions. The company promised at the time to investigate.
A copy of the email OnePlus has been sending customers is available via the tweet embedded below: