Update: OnePlus disables credit card payments on its website in wake of reported security breach
Update: OnePlus has now disabled credit card payments on OnePlus.net. Customers will still be able to shop via PayPal. The company is still investigating and also looking for alternative payment options. If you've done any credit card payments on OnePlus.net, it's advised you keep an eye on your payment history and statements. Original story follows:
OnePlus is well-known for offering awesome devices at unbelievably low prices and the company does a few things to make sure its corner-cutting doesn't come from the actual hardware. Since it started out small, it built its name via Multiple users are now reporting that their credit card details have been leaked and someone out there is attempting to spend tons of their money on coupons, random betting sites, and other such quick-to-cash-out places. Some have reported that this has occurred after they have shopped at OnePlus.net, or that the compromised cards have only been used at the OnePlus store.
Thankfully, most modern credit card systems have a security built-in to stop such stuff from happening. But if you've shopped from OnePlus.net and used your credit card instead of a PayPal checkout, we suggest you keep an eye on your credit card transaction history until this whole debacle is cleared up.
OnePlus is currently looking into the allegationsOnePlus was quick to answer customer concerns but is yet to confirm or deny a leak. In a forum post, which is to be considered the company's official reply as of right now, it's explained that OnePlus does not store credit card data and that customer payment details are handled by a secure 3rd party system. Even if you are to check the “Save my card for future transactions” box, all that OnePlus saves is a token number that represents your card details, which remain securely encrypted in the payment system's database. As per the statement, the investigation is still ongoing. Users that believe their data has been compromised are encouraged to contact firstname.lastname@example.org and report when they last shopped at OnePlus.net and when the fraudulent transactions began to pop up in their credit card statements.
Security experts chime in
Security experts over at a company called Fidus Information Security have written their own blog post to chime in on the matter. According to Fidus, the fact that the payment details page is hosted on the OnePlus website is where the problems start. Sure, OnePlus does not store or read your card details, but that information will go through its servers for a brief period of time, before making it to the payment company's database.
Vulnerability point, image courtesy of Fidus Information Security
We'll see where this story goes from here. You are free to visit the OnePlus forum threads (linked below) to follow reports from other users as they develop while we wait for OnePlus to conclude with its investigations.
sources: OnePlus Forums | Official statement | Fidus Information Security | Reddit