Update: OnePlus disables credit card payments on its website in wake of reported security breach

Update: OnePlus has now disabled credit card payments on OnePlus.net. Customers will still be able to shop via PayPal. The company is still investigating and also looking for alternative payment options. If you've done any credit card payments on OnePlus.net, it's advised you keep an eye on your payment history and statements. Original story follows:

OnePlus is well-known for offering awesome devices at unbelievably low prices and the company does a few things to make sure its corner-cutting doesn't come from the actual hardware. Since it started out small, it built its name via Multiple users are now reporting that their credit card details have been leaked and someone out there is attempting to spend tons of their money on coupons, random betting sites, and other such quick-to-cash-out places. Some have reported that this has occurred after they have shopped at OnePlus.net, or that the compromised cards have only been used at the OnePlus store.

Thankfully, most modern credit card systems have a security built-in to stop such stuff from happening. But if you've shopped from OnePlus.net and used your credit card instead of a PayPal checkout, we suggest you keep an eye on your credit card transaction history until this whole debacle is cleared up.

OnePlus was quick to answer customer concerns but is yet to confirm or deny a leak. In a forum post, which is to be considered the company's official reply as of right now, it's explained that OnePlus does not store credit card data and that customer payment details are handled by a secure 3rd party system. Even if you are to check the “Save my card for future transactions” box, all that OnePlus saves is a token number that represents your card details, which remain securely encrypted in the payment system's database. As per the statement, the investigation is still ongoing. Users that believe their data has been compromised are encouraged to contact security@oneplus.net and report when they last shopped at OnePlus.net and when the fraudulent transactions began to pop up in their credit card statements.

Security experts chime in

Security experts over at a company called Fidus Information Security have written their own blog post to chime in on the matter. According to Fidus, the fact that the payment details page is hosted on the OnePlus website is where the problems start. Sure, OnePlus does not store or read your card details, but that information will go through its servers for a brief period of time, before making it to the payment company's database.

Fidus provided a couple of examples of how the payment system could be compromised to leak sensitive data. One way is to have a malicious piece of JavaScript, hosted on the server, which will invoke the user's machine to send a copy of the entered billing information straight to the hacker. The other method is a direct hack of the OnePlus servers, which would signify a very serious weakness in security.

We'll see where this story goes from here. You are free to visit the OnePlus forum threads (linked below) to follow reports from other users as they develop while we wait for OnePlus to conclude with its investigations.

sources: OnePlus Forums | Official statement | Fidus Information Security | Reddit



2. hboy857

Posts: 367; Member since: Jun 03, 2013

Never Settle. LOL.

3. lyndon420

Posts: 6836; Member since: Jul 11, 2012

This will always be an issue. Everything can be hacked if it's connected to the internet.

7. Anonymous.

Posts: 423; Member since: Jun 15, 2016

But some are much harder to hack than others, so give top security companies some credit (in case you didn't).

5. redmd

Posts: 1943; Member since: Oct 26, 2011

Knox and Samsung Pay is secure enough for me

14. Settings

Posts: 2943; Member since: Jul 02, 2014

Enough googling brings you results that Knox has exploits.

11. Furbal unregistered

Long as it's just the tokens everything is fine.

15. makatijules

Posts: 835; Member since: Dec 11, 2017

Honest companies just can't seem to catch a break. Then the dishonest ones get all the breaks. It's a good thing these services don't use your actual credit card data to make purchases. If it was only just the tokenization number, then I doubt anyone is gonna have any issues.

16. mootu

Posts: 1530; Member since: Mar 16, 2017

People already are having issues, that how all this got out into the press.

17. mootu

Posts: 1530; Member since: Mar 16, 2017

People already are having issues, that how all this got out into the press.

* Some comments have been hidden, because they don't meet the discussions rules.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.