OnePlus Suspends Credit Card Payments Amid Fraud Reports
If you bought something on the OnePlus website in the last few months, you'll want to closely monitor your credit card statements.
Editors' Note: This article has been updated to note that OnePlus has temporarily halted credit card payments at its website.
If you purchased something from OnePlus’ website over the last few months — perhaps a shiny new OnePlus 5T — you’re going to want to closely monitor your credit card statements over the coming weeks.
OnePlus is investigating complaints from at least 170 customers who encountered fraudulent charges on their credit accounts shortly after buying items on the OnePlus website. Earlier today (Jan. 16), OnePlus said it's temporarily halting credit card payments at its website while it continues to investigate.
"As a precaution, we are temporarily disabling credit card payments at oneplus.net," the statement reads. "PayPal is still available and we are exploring alternative secure payment options with our service providers."
Customer concerns emerged over this past weekend, and the issues seem to be limited to those who completed purchases directly on the OnePlus site, without using third parties such as PayPal. According to OnePlus, customer payment information is never stored on its own site, but forwarded to a payment partner, where it is processed on a secure server.
Based on a poll on OnePlus’ community forums, the bulk of the breaches appear to be stemming from transactions done in the last two months, with a few users here and there reporting fraud that occurred earlier — though it’s unclear how connected those instances are to OnePlus’ site.
What To Do If You're Affected
The advice for anyone who's bought something from OnePlus in the past couple of months is straightforward: Check your payment-card statements (including the most recent transactions, which you can check online or over the phone) and report anything suspicious to your card issuer. (For Visa and MasterCard, the issuer is the bank printed on the card.) You're almost certainly off the hook for any fraudulent use as long as you report what you've seen right away.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
OnePlus has posted an FAQ on its forums explaining everything the company knows about what happened, while urging customers to get in touch if they have any comments or concerns. "At OnePlus, we take information privacy extremely seriously," the company's earlier statement says. "Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. This FAQ document will be updated to address questions raised."
We’ve reached out to OnePlus for additional comments, and will update this article when we receive a reply.
MORE: OnePlus 5T Can't Stream Netflix in HD, Fix Promised
Interestingly, the FAQ acknowledges a potential flaw in OnePlus’ commerce system. The company previously utilized the Magento e-commerce platform, which was attacked several years ago by a keylogger known as Magecart. OnePlus says it began moving away from Magento before that breach, and never used Magento for credit cards in the first place.
However, while OnePlus claims customer data is never saved on its website, an independent audit by Fidus Information has revealed that some information is kept, albeit briefly, on OnePlus’ own servers before it’s pushed to its payment partner.
Because the payment form is hosted by OnePlus, Fidus says attackers are able to capture the content of form fields with clever JavaScript, despite the fact that none of the processing actually happens on OnePlus’ end.
For OnePlus, this breach is the latest in a line of recent security headaches. In October, the company was discovered to have been collecting identifiers and usage data from phones and sending them to servers in China without customers' knowledge. A month later, a low-level diagnostics app labeled EngineerMode was found on all of OnePlus' handsets, allowing attackers to collect a wealth of information should they get their hands on a device.
Adam Ismail is a staff writer at Jalopnik and previously worked on Tom's Guide covering smartphones, car tech and gaming. His love for all things mobile began with the original Motorola Droid; since then he’s owned a variety of Android and iOS-powered handsets, refusing to stay loyal to one platform. His work has also appeared on Digital Trends and GTPlanet. When he’s not fiddling with the latest devices, he’s at an indie pop show, recording a podcast or playing Sega Dreamcast.