Update: OnePlus disables credit card payments on its website in wake of reported security breach

OnePlus is well-known for offering awesome devices at unbelievably low prices and the company does a few things to make sure its corner-cutting doesn't come from the actual hardware. Since it started out small, it built its name via Multiple users are now reporting that their credit card details have been leaked and someone out there is attempting to spend tons of their money on coupons, random betting sites, and other such quick-to-cash-out places. Some have reported that this has occurred after they have shopped at OnePlus.net, or that the compromised cards have only been used at the OnePlus store.

Thankfully, most modern credit card systems have a security built-in to stop such stuff from happening. But if you've shopped from OnePlus.net and used your credit card instead of a PayPal checkout, we suggest you keep an eye on your credit card transaction history until this whole debacle is cleared up.

OnePlus is currently looking into the allegations

OnePlus was quick to answer customer concerns but is yet to confirm or deny a leak. In a forum post, which is to be considered the company's official reply as of right now, it's explained that OnePlus does not store credit card data and that customer payment details are handled by a secure 3rd party system. Even if you are to check the “Save my card for future transactions” box, all that OnePlus saves is a token number that represents your card details, which remain securely encrypted in the payment system's database. As per the statement, the investigation is still ongoing. Users that believe their data has been compromised are encouraged to contact security@oneplus.net and report when they last shopped at OnePlus.net and when the fraudulent transactions began to pop up in their credit card statements.

Security experts chime in

Security experts over at a company called Fidus Information Security have written their own blog post to chime in on the matter. According to Fidus, the fact that the payment details page is hosted on the OnePlus website is where the problems start. Sure, OnePlus does not store or read your card details, but that information will go through its servers for a brief period of time, before making it to the payment company's database.

Fidus provided a couple of examples of how the payment system could be compromised to leak sensitive data. One way is to have a malicious piece of JavaScript, hosted on the server, which will invoke the user's machine to send a copy of the entered billing information straight to the hacker. The other method is a direct hack of the OnePlus servers, which would signify a very serious weakness in security.


We'll see where this story goes from here. You are free to visit the OnePlus forum threads (linked below) to follow reports from other users as they develop while we wait for OnePlus to conclude with its investigations.

sources: OnePlus Forums | Official statement | Fidus Information Security | Reddit