Editors' Note: This article has been updated to note that OnePlus has temporarily halted credit card payments at its website.
If you purchased something from OnePlus’ website over the last few months — perhaps a shiny new OnePlus 5T — you’re going to want to closely monitor your credit card statements over the coming weeks.
OnePlus is investigating complaints from at least 170 customers who encountered fraudulent charges on their credit accounts shortly after buying items on the OnePlus website. Earlier today (Jan. 16), OnePlus said it's temporarily halting credit card payments at its website while it continues to investigate.
"As a precaution, we are temporarily disabling credit card payments at oneplus.net," the statement reads. "PayPal is still available and we are exploring alternative secure payment options with our service providers."
Customer concerns emerged over this past weekend, and the issues seem to be limited to those who completed purchases directly on the OnePlus site, without using third parties such as PayPal. According to OnePlus, customer payment information is never stored on its own site, but forwarded to a payment partner, where it is processed on a secure server.
Based on a poll on OnePlus’ community forums, the bulk of the breaches appear to be stemming from transactions done in the last two months, with a few users here and there reporting fraud that occurred earlier — though it’s unclear how connected those instances are to OnePlus’ site.
What To Do If You're Affected
The advice for anyone who's bought something from OnePlus in the past couple of months is straightforward: Check your payment-card statements (including the most recent transactions, which you can check online or over the phone) and report anything suspicious to your card issuer. (For Visa and MasterCard, the issuer is the bank printed on the card.) You're almost certainly off the hook for any fraudulent use as long as you report what you've seen right away.
OnePlus has posted an FAQ on its forums explaining everything the company knows about what happened, while urging customers to get in touch if they have any comments or concerns. "At OnePlus, we take information privacy extremely seriously," the company's earlier statement says. "Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
We’ve reached out to OnePlus for additional comments, and will update this article when we receive a reply.
Interestingly, the FAQ acknowledges a potential flaw in OnePlus’ commerce system. The company previously utilized the Magento e-commerce platform, which was attacked several years ago by a keylogger known as Magecart. OnePlus says it began moving away from Magento before that breach, and never used Magento for credit cards in the first place.
However, while OnePlus claims customer data is never saved on its website, an independent audit by Fidus Information has revealed that some information is kept, albeit briefly, on OnePlus’ own servers before it’s pushed to its payment partner.
For OnePlus, this breach is the latest in a line of recent security headaches. In October, the company was discovered to have been collecting identifiers and usage data from phones and sending them to servers in China without customers' knowledge. A month later, a low-level diagnostics app labeled EngineerMode was found on all of OnePlus' handsets, allowing attackers to collect a wealth of information should they get their hands on a device.