Check your credit card statement closely if you’ve made a purchase from OnePlus within the last two months. It appears there has been some type of security breach in which payment information was stolen from customers who were just trying to buy a new phone or some accessories. OnePlus has confirmed that a rising number of its customers have experienced credit card fraud in the time since shopping online with them, and right now there’s an ongoing investigation to understand how exactly this happened.
Here’s the statement from OnePlus:
“At OnePlus, we take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated.
Affected customers actually include myself. Early last week I bought the OnePlus 5T in Sandstone White to see if I liked the phone more than the Google Pixel 2 XL (which I don’t). A few days after making my purchase, I was alerted that someone tried making an unauthorized purchase at Walmart worth $790.
To whoever just tried making a $790 purchase at Walmart with my credit card, nice try.
— Justin Herrick (@JustHerrick) January 11, 2018
I’ve had my credit card number compromised multiple times before, so this didn’t exactly cause any panic. The company who issues my credit card, fortunately, stopped the transaction from going through. Immediately I used online chat to figure out what happened, and the card provider canceled the card before shipping a new one.
This week I’m seeing headlines relating to OnePlus customers and credit card fraud; therefore, now I have a strong suspicion of how my credit card was stolen. Like many others, making a purchase on OnePlus’ online store apparently put my payment information in jeopardy.
Apparently, the issue stems from this window between the time when payment information is submitted and received, at least according to information security analyst Fidus. Attackers are believed to have been able to pick up details while your name, credit card number, and other information sits in the form as it’s hosted on-site rather than elsewhere. OnePlus’ site is HTTPS encrypted, but that just isn’t enough to stop digital thieves from taking what they want.
If you’ve completed your purchases using PayPal, there’s nothing to worry about. This situation only involves those who used credit/debit cards since the payment information was typed out, watched by attackers, and then finally sent to OnePlus.
OnePlus says it’ll update everyone as the investigation progresses.