Smartphone brand OnePlus is investigating a potential credit card breach after multiple reports of unauthorized transactions following a purchase on its website, oneplus.net.
Dozens of OnePlus customers reported on the company’s user forum that fraudulent transactions were made over the past week following a purchase on the site in the past two months.
Many owners have also reported their OnePlus purchase was the first time they’re used the affected credit card, raising suspicions OnePlus or its payment provider had suffered a breach. Owners are reporting fraudulent transactions in Europe and the US. Numerous Reddit users have reported fraudulent card transactions after making recent OnePlus purchases. Owners who purchased phones using PayPal have not reported any instances of fraud after using the site.
OnePlus today said it is investigating the reported cases and in an FAQ published on Monday said that it doesn’t store financial information on its website.
“Your card info is never processed or saved on our website - it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.”
The company last January contracted Visa-owned payments gateway firm, CyberSource, to manage its online checkout system.
OnePlus has denied suggestions from a UK security firm that its e-commerce system was vulnerable to an old Magento eCommerce bug that cybercriminals were using to siphon card numbers.
OnePlus said the site was initially built with Magento eCommerce, but that it since 2014 it has been migrated away from that platform, which in any case was never implemented with the Magento credit card payments module.
Also, customers that used the “save this card for future transactions” feature on the site should not necessarily be at greater risk of card fraud, according to OnePlus.
“All this means is that our payment processing partner encrypted and securely stored your card info and sent us a few digits, plus a "token" - a string of symbols that represents your card. This token is stored in our system, but it's impossible for us to decrypt it and access your card info.”
The company is investigating the issue with its third-party provider and is also conducting a “complete audit” of its website, which has HTTPS enabled. It urged customers check their statements contact their bank immediately to reverse any suspicious charges.
CSO Online has contacted OnePlus for more details and will update the story if it receives a response.