Update (01/16): OnePlus has issued an update to its forum post. As a precaution, the company is temporarily disabling credit card payments at oneplus.net. PayPal is still available, and it is exploring “alternative secure payment options” with its service providers.
The company says it’s working around the clock to investigate this issue.
Original article (01/15): Fraudulent credit card activity is not fun to deal with, but it is something that may have affected recent OnePlus customers.
Over this past weekend, several OnePlus customers took to Reddit to air their grievances over having their credit card information taken after making a purchase on OnePlus’ website. Affected customers reported cases of transactions made without their knowledge or consent, with one person saying someone ordered $200 worth of Papa John’s pizza.
As funny and weird as that may be, fraudulent credit card activity is a serious matter. Not only is sensitive information taken, but if you are not careful, it can wreck any financial dreams you had in the short-term.
That is why OnePlus took to its forums to try and clear the air. According to the company, credit card information is not processed or stored on its website. Rather, it is sent to OnePlus’ “PCI-DSS-compliant payment processing partner over an encrypted connection” and processed on the processing partner’s “secure servers.”
OnePlus also says its website is not affected by the Magento bug. Even though the company’s website was originally build on the Magento eCommerce platform, which was hacked in 2015, OnePlus has rebuilt its website since 2014 and did not use Magento for card payments.
As for what happens now, OnePlus says it will conduct a complete audit, though it assures customers that, because its website uses HTTPS, it is difficult to intercept traffic and throw in malicious code. Also, while those that use third-party services like PayPal should be in the clear, others are urged to check their statements and contact their banks to initiate a chargeback if they find any suspicious purchases.
Finally, OnePlus confirmed it is working with its third-party providers to get to the bottom of the issue.
As security consultant firm Fidus InfoSecurity revealed, there is a small window where data could be intercepted and is actually hosted on OnePlus’ website when making a purchase. Also, Fidus directly contradicts OnePlus’ statement and says the payment processing partner is not PCI-DSS-compliant.
We will be sure to update this post with additional information as we learn more, but let us know in the comments if you have recently purchased something through OnePlus’ website and had your credit card information taken.