OnePlus, like many other companies, have a database with the email addresses of their clients since they are usually subscribed to the forums or have an account on their website.
Typically these email addresses are safe and are not shared with third parties, but OnePlus just screwed up.
Apparently, OnePlus has accidentally revealed hundreds of email addresses of your customers in a message sent to its members.
The message was from a research study, and it appears that the sender forgot to check the box for addresses to be added to the BCC field. As a result, all recipients of the message were able to see all the addresses.
There is nothing OnePlus can do except apologies for the failure. Although revealing your email is not as serious as sharing other types of personal information, your address could end up in spamming lists or be used for targeted attacks, now that they know you have OnePlus smartphone.
It is not the first time that OnePlus has committed a failure related to user privacy. In 2018, it stopped accepting credit card payments following complaints from many users who had purchased from the OnePlus online store about the fraudulent use of their cards.
More recently, in June this year, OnePlus Repair System security vulnerability exposed customer data on the Internet including full names, phone numbers, emails, IMEIs, and physical addresses. This failure is similar to the one suffered in 2019 with the “Shot on OnePlus” contest, which also exposed similar personal data of users.