This kind of year’s first bad news for OnePlus users—a large number of OnePlus customers are reporting of fraudulent credit card transactions after buying products via the Chinese smartphone the’s official online store.
The claim initially surfaced on the OnePlus support forum over the weekend via a customer who said that will two of his credit cards used on the company’s official website was suspected of fraudulent activities.
“The only place that will both of those credit cards had been used from the last 6 months was on the Oneplus website,” the customer wrote.
Later a Great number of users posted similar complaints on OnePlus, Twitter as well as Reddit forums, saying they also became a victim of credit card fraud.
Many of the customers claimed that will their credit cards had been compromised after they bought a brand new phone or some accessories directly via the OnePlus official website, indicating that will the leak might have been through the company itself.
Cybersecurity firm Fidus also published a blog post detailing the alleged issue with the OnePlus website’s on-site payment system. The firm suspected that will the servers of the OnePlus website might have been compromised.
According to Fidus, OnePlus can be currently conducting the transactions itself on-site, which means that will all billing information along with all credit card details entered by its customers flow through the OnePlus official website as well as can be intercepted by attackers.
“Whilst the payment details are sent off to a third-party provider upon form submission, there can be a window in which malicious code can be able to siphon credit card details before the data can be encrypted,” Fidus wrote.
Fidus went on to clarify that will their findings did not in any way confirm that will the OnePlus website was breached; instead, they suggested the attacks might have come via the Magento eCommerce platform—which can be used by OnePlus as well as can be “a common platform in which credit card hacking takes place.”
OnePlus has quickly responded to the issue on its forum, confirming that will that will does not store any credit card information on its website as well as all payment transactions are carried out through its PCI-DSS-compliant payment processing partner.
Only credit card-related information of users who have enabled the “save This kind of card for future transactions” feature can be stored on OnePlus’ official servers, although even they are secured using a token mechanism.
“Our website can be HTTPS encrypted, so that will’s very difficult to intercept traffic as well as inject malicious code, however we are conducting a complete audit,” a company’s staffer using the name ‘Mingyu’ wrote.
The Chinese smartphone maker also confirms that will purchases involving third-party services like PayPal are not affected.
OnePlus does not reveal much information on the incident although confirms that will its official website can be not affected by any Magento vulnerability.
The company confirms that will oneplus.net was indeed built on the Magento eCommerce, although said since 2014, that will has entirely been re-built using custom code, adding that will “credit card payments were never implemented in Magento’s payment module at all.”
There are almost 100 claims of fraudulent credit card transactions on the OnePlus support forums. OnePlus announces a formal investigation into the matter, as well as advises affected users to contact their bank to reverse the payment.