Update 2 (22/01/18): Over the last week, OnePlus has been investigating reports of its customers suffering from credit card fraud shortly after purchasing a phone directly from the company’s website. At the time, OnePlus switched off credit card payments as a safety precaution and said that the issue only affected a small number of its total customers. Now, we know that 40,000 customers in total were affected and how the attackers managed to siphon away credit card details.
The investigation is still ongoing. However, the most recent update revealed that the cyber attack was carried out by injecting a malicious script into the OnePlus payment page code. This allowed the attackers to see credit card numbers, expiration dates and the security codes of 40,000 customers. Anyone that used Paypal instead was unaffected.
Those who bought a OnePlus device between November 2017 and the 11th of January 2018 will have been at risk. Right now OnePlus is “in contact with potentially affected customers” and is working with its partners and the authorities to address the whole incident. Aside from that, a security audit is also being conducted to try and ensure that something like this doesn’t happen again.
Update 1 (17/01/18): Following on from reports of OnePlus customers suffering from credit card fraud after their purchases, the Chinese smartphone maker has launched an investigation into the matter. The company hasn’t revealed exactly what went wrong just yet, but as a precautionary measure, OnePlus is disabling credit card payments for the time being. In the meantime, PayPal will still be available and “alternative secure payment options” are being explored.
While OnePlus hasn’t concluded its investigation yet, the security firm ‘Fidus’ has done its own digging. According to their research, there might be a brief window where credit card information can be intercepted during the checkout process, before it is fully encrypted.
Original story (15/01/18): If you have recently picked up a OnePlus smartphone directly from the company’s website, then you may want to keep an eye on your credit card statements. This week over on the OnePlus forums, customers began reporting suffering from credit card fraud shortly after buying a OnePlus smartphone.
Over on the OnePlus forum, a poll was run to see how many customers experienced fraudulent credit card charges on their account after recently buying a OnePlus smartphone. This could be anywhere from less than a month to over four months ago. Close to 100 buyers said they experienced issues. This is a relatively small number, but it does give cause for concern, fortunately most banks have good policies in place when it comes to this sort of thing, so if you notice anything, a quick call to your bank should straighten things up.
OnePlus has responded to these reports already and while the company doesn’t have any final answers just yet, it is conducting a “complete audit”. While the investigation is ongoing, updates will be provided while the company gets to the bottom of things.
KitGuru Says: OnePlus doesn’t store any credit card information on its own servers, so the issue seems to be elsewhere. We’ll keep an eye out for more updates on this.