OnePlus website hacked? Firm confirms investigation amid card fraud complaints
Customers took to Twitter and Reddit to complain, while one cyber firm was on the case.
Chinese smartphone manufacturer OnePlus has launched an investigation after a number of customers who used its website to purchase products complained of attempted fraud.
The claims surfaced on the OnePlus forum last Thursday (11 January) from a user who said two cards used on the phone maker's website showed signs of misuse. "The only place that both of those credit cards had been used in the last 6 months was on the OnePlus website," he wrote.
Nearly 40 similar complaints were later posted to Twitter and Reddit, while cybersecurity firm Fidus published a blog post detailing the alleged issues with the OnePlus website's payment system.
In a statement posted online Monday (15 January), OnePlus confirmed a probe was underway.
It revealed that each of the reports included customers who made card payments at oneplus.net.
A staffer using the name 'Mingyu' wrote: "Members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated."
The firm stressed that its website is https encrypted and claimed it would be "very difficult to intercept traffic and inject malicious code." It noted, however, a full audit was now in progress.
"If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges," the statement continued.
"They will help you initiate a chargeback and prevent any financial loss."
In its report, Fidus said the OnePlus website was using the Magento eCommerce platform, which has for at least two years been known to contain cybersecurity flaws.
It said that payment details "flow through the OnePlus website and can be intercepted by an attacker", but acknowledged it had no evidence a breach had taken place.
OnePlus confirmed in its customer update that oneplus.net was indeed built on the Magento eCommerce – but said that it has, since 2014, been rebuilt using custom code.
It said "credit card payments were never implemented in Magento's payment module" and urged customers with suspicious charges to let it know. The investigation remains ongoing.
If you have been impacted by the OnePlus website issue, please contact: j.murdock@ibtimes.co.uk.