Smartphone maker OnePlus has been hit by a cyber attack affecting up to 40,000 customers and compromising their credit card information.
The Chinese company confirmed hackers had "injected" malicious code into the payments page of its website, which then accessed card information as it was entered.
The firm said PayPal customers and those who used a saved credit card - and therefore did not input information into the page - should not be affected.
"We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users," OnePlus said.
"One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered.
"The malicious script operated intermittently, capturing and sending data directly from the user's browser. It has since been eliminated.
"We have quarantined the infected server and reinforced all relevant system structures."
The company said customers who had entered their payment information into the website between mid-November 2017 and January 11 2018 may have been affected by the breach and urged customers to check bank statements and report any unrecognised changes.
"We cannot apologise enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down," OnePlus said.
"We are in contact with potentially affected customers. We are working with our providers and local authorities to better address the incident.
"We are also working with our current payment providers to implement a more secure credit card payment method, as well as conducting an in-depth security audit. All these measures will help us prevent such incidents from happening in the future."