Up to 40,000 people were caught out by hackers who stole credit card details from the site of phone maker OnePlus.
The company stopped taking card payments via its site earlier this week after learning about the attack.
An investigation has revealed that attackers stole data by exploiting a loophole in its payment system between mid-November 2017 and 11 January.
The company apologised and said affected customers would get free help to resolve card problems.
In a statement posted to its community forum, OnePlus confirmed that it had been attacked adding: “a malicious script was injected into the payment page code to sniff out credit card info while it was being entered”.
It said the malicious script ran “intermittently” and has now been expunged from the affected server.
The loophole in its payment system that it exploited had also been eliminated, it added.
OnePlus said that only customers who entered their credit card details for the first time on its site between the two dates would be affected.
Anyone who had submitted those card details before mid-November or after 11 January or who used a different payment method, such as Paypal, would not have been caught out.
All those whose credit card numbers were scooped up by the script have been contacted via email.
The company learned about the theft of data from its support site when customers started reporting fraudulent charges turning up on statements.
It urged anyone who might have been among the victims to check statements to see if any bogus bills had been charged to their cards.
A spokeswoman for OnePlus said it would offer credit monitoring to everyone who had been affected and would also set up a hotline that people could call to get help resolving payment and card issues.
“We cannot apologise enough for letting something like this happen,” wrote OnePlus in its update.