After launching an investigation into reports of a credit card breach on its website, OnePlus has announced some grim findings: Up to 40,000 customers may have had their credit card data stolen. That includes card numbers, expirations dates, and CVV codes entered at oneplus.net.

The culprit for the breach, according to OnePlus, is a rogue script that was injected into the payment page code and able to capture unencrypted credit card info from customers’ browser windows. The company says the exploit has been running since the OnePlus 5T launched in November, though it affected all sales made through the website. It’s unclear whether the attack was triggered remotely or internally.

Incidentally, the breach only seems to have affected customers using a new credit card on the site. OnePlus says those who used a previously saved card or PayPal to check out shouldn’t be impacted. The company shut down its credit card processing system on January 16 after reports surfaced of fraudulent charges popping up on customers’ credit card statements. Customers are still able to purchase phones via PayPal.

OnePlus is continuing to investigate the issue with the help of a third-party cybersecurity firm but has offered no window for when credit card purchasing will be restored on its website. It says it will be reinforcing its system with tougher security measures and is looking into offering a free one-year subscription to a credit-monitoring firm to all affected users.

In a form post OnePlus said, “We cannot apologize enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down.”

If you purchased a OnePlus 5T or any other phone through the OnePlus website, you should call the issuer of the credit card you used to see about getting a replacement card with a new number.

PCWorld