For a long time, OnePlus phones had a vulnerability where it was possible to retrieve Shot On OnePlus e-mail addresses. That was because of the weak point in the api. In the meantime, the leak is closed.
9to5Google discovered that OnePlus was informed about the leak. It's been closed since then. The leak was in the function of Shot On OnePlus, part of the application for the background of the company. Shot on OnePlus contained photos of other users of OnePlus who could share their own photos as wallpapers with other users. They could do this directly from the application itself or upload photos to the website. To upload a photo, users had to create an account.
9to5Google has discovered that there is a leak api behind the function. In order to use api, users had to have a key and access token, but both consisted of only a short alphanumeric code. This code can be retrieved by searching the image id via api. Moreover, it turned out that it is not only possible to request information about photographs and photographs, but also e-mail addresses.
OnePlus has not yet responded to the found, but quietly changed the api so it is no longer possible to retrieve the information from the api.