Checking your credit card statement after wondering why your balance is so high and finding transactions that you don't recognize is among life's most uncomfortable moments. Many of us have been there, and even though you know there's a good chance you'll get the money back, that feeling of violation is hard to shake. Unfortunately, some recent OnePlus customers are going through exactly that at this moment in time.
A poll was posted on the OnePlus forum on Thursday asking users if they had noticed fraudulent charges on their credit cards since purchasing items on the OnePlus site. More than 70 respondents confirmed that they had been affected, with the majority saying they had bought from the site within the past 2 months. Many of them also detailed their experience in posts underneath the poll, and others took to a thread on Reddit to report facing the same issue as the community began to speculate about how this could have happened.
We reached out to a OnePlus representative for comment yesterday, who asked us to hold off on posting while they investigated and prepared a statement. Today, the company posted an update on the forum, which starts:
"At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
A number of FAQs and answers follow, in which OnePlus confirms that only customers who made credit card payments are affected, not those who used PayPal. Apparently, card info isn't stored on the site but is instead sent directly to a "PCI-DSS-compliant payment processing partner" over an encrypted connection. If you choose to save your card details for later, a token that represents your card is saved, but your card details are still handled by the payment provider next time you shop.
The post also assures customers that the current fraud issues have nothing to do with the hacking of the Magento eCommerce platform. Although Magento was initially used to build Oneplus.net, the site has been going through a rebuild since 2014 and the payment service was never used for card payments anyway.
OnePlus goes on to say that intercepting information should be extremely difficult as the site is HTTPS encrypted, but that it is nevertheless carrying out a complete audit. In the meantime, affected customers are advised to contact their credit card companies immediately to get the payments canceled/reversed (called a chargeback). OnePlus will continue to investigate alongside its third-party service providers, and promises to update with its findings as soon as possible.
According to infosec firm Fidus, there is actually a brief window in which data could be intercepted. Between entering your card details into the form and hitting 'submit,' the details are apparently hosted on-site, which could give attackers all the time they need to steal those precious digits and head off on a spending spree. Fidus also notes that the company doesn't appear to be PCI-compliant, but that directly contradicts OnePlus' own statement. We'll have to wait until more details emerge before we pass judgment.
To its credit, OnePlus has been pretty quick to react, hopefully saving other recent customers from the same fate. If any of you have been on the receiving end of this issue, do let us know in the comments. We'll update this post when we get any further info.
- and Kuppiveikko