China-based smartphone maker OnePlus confirmed a security breach of its website, with “up to 40,000 users” affected by the incident.

“We cannot apologise enough for letting something like this happen. We are eternally grateful to have such a vigilant and informed community, and it pains us to let you down,” the company wrote on its website.

OnePlus stopped processing credit card sales via its website last week, after a growing number of reports that users had seen unknown transactions on cards after making purchases from the vendor.

The company said “a malicious script was injected into the payment code page to sniff out credit card info while it was being entered”. Credit card info entered directly to the site was at risk: payments made via PayPal were not impacted.

OnePlus said it is contacting users who may be at risk, with Engadget reporting it is offering such customers a 12 month subscription to a credit monitoring service.