It seems as if OnePlus just can’t catch a break. The company, while being the manufacturer of the best “flagship killers”, has always found itself surrounded by controversies. First, there was the EngineerMode fiasco, then the clipboard bug in the new Oreo Beta. Recently, it was also reported that OnePlus’ Online Payment Platform was allegedly hacked, as many users reported of fraudulent transactions on their credit cards. And now, we seem to have an official response from the team regarding the same.
Let’s do a quick recap first, shall we? The entire situation started when a user, in a blog post on the OnePlus forums, reported that he had previously used his credit cards on the website’s shopping platform (OnePlus Store) to purchase OnePlus devices. He was recently informed that there were several transactions requested on his credit cards that he did not make. Eventually, many other users joined in to inform of similar mishaps on their credit cards as well.
The team at Fidus, later on, stepped in to inform that OnePlus was using the Magento eCommerce platform which was speculated to be the possible cause of the attack. The platform is known to be vulnerable if adequate security measures are not taken, and it seemed that way for OnePlus.
Finally, it seems as if we have an official word from OnePlus regarding the entire fiasco. According to an official response, OnePlus has temporarily disabled credit card payments at oneplus.net. That being said, PayPal is still available as a mode of payment, while the team is looking for other third-party secure payment options as well.
While the website was initially built on the Magento eCommerce platform, the website has been using custom code since 2014.
The response also states that the initial web platform was indeed built on the Magento eCommerce platform. However, the site has been using custom code since 2014. Furthermore, “credit card payments were never implemented in Magento’s payment module at all.” The response also states that the card info is never processed or saved on the company’s website. Rather, “it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers.”
As of now, OnePlus states that this is an on-going investigation and they are working with their third-party providers as well to find the root cause of the main issue. “Information security is a very serious topic, and it has always been one of our top priorities,” said the company. The team has requested affected customers to check their card statements and contact their bank to resolve any suspicious charges.