OnePlus mistakenly leaks user email addresses, merely some weeks after fixing a security loophole

Kids, never undermine the importance of the Bcc field

First, an email 101. When you are composing an email, there is a field called Blind carbon copy or Bcc that doesn’t let recipients see each other’s email addresses. It’s often used by marketers and companies when they send the same message to various people. 

This week, OnePlus sent out a mass email about a research study and it forgot to use the Bcc field. As a result, email addresses of nearly 271 people were exposed, according to an estimate. The email was apparently sent to customers who signed up for a user interface survey after the OxygenOS 10.5.11 update.

OnePlus is no stranger to data breaches

On the surface, this seems like a slip-up without any serious consequences. However, it’s not a good look for the Chinese company, who fixed a security vulnerability that exposed information of US customers such as names, phone numbers, email addresses, and physical addresses some weeks back. The loophole was in the manufacturer’s out-of-warranty repair and advance exchange invoicing system and there is no evidence that it was exploited. 

In 2019, another data breach enabled unauthorized access to some order data such as customer names, emails, contact numbers, and shipping addresses.  It led the company to launch the OnePlus Security Response Center (OneSRC), a bug bounty program for improving the security ecosystem.

Prior to that, in 2018, credit card information of up to 40,000 customers was stolen. Before that, in 2017, a backdoor vulnerability was discovered in various OnePlus handsets.

OnePlus has so far not said anything about the recent incident.