OnePlus has finally released an official statement on the alleged online payment compromise on its website and the reports of user credit card data being hacked.

In a post on the official forums, the company said, “We take information privacy extremely seriously. Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net.”

The company released an FAQ of sorts on the possible questions Oneplus.net users may have. “The reports have come from some customers who made credit card payments directly on oneplus.net (without involving a third party such as PayPal). We are investigating each report,” the statement said about who might be affected.

Credit Card Data Secure

OnePlus says that credit card data is not stored on its website and is sent directly to “our PCI-DSS-compliant payment processing partner.” It further stressed that the data is sent over an encrypted connection and processed on secure bank or financial institution servers.

As for the users who have reported credit card fraud, OnePlus maintains that the fault does not lie with their website, but said it’s still investigating what might have gone wrong. “Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit.” It further asked those affected to report the fraudulent charges to the credit card provider or bank.

Ongoing Investigation

The company added: “This is an ongoing investigation. We are working with our third-party providers, and will update you on our findings as they surface. Information security is a very serious topic, and it has always been one of our top priorities. If you have any suggestions or comments, please send them to security@oneplus.net.”

OnePlus Breached Forum Post
The OnePlus forum post which brought the issue to light

No Card Info Saved

It also clarified the process through which users can quickly check-out using saved card details. “Our payment processing partner encrypted and securely stored your card info and sent us a few digits (for identification purposes), plus a “token” – a string of symbols that represents your card. This token is stored in our system, but it’s impossible for us to decrypt it and access your card info,” the statement said about the saved card feature.

Magento Removed in 2014

The statement also highlighted the fact that OnePlus has moved away from Magento eCommerce platform since 2014 and has rebuilt the payment process “with custom code”. It further stressed that credit card payments were not implemented in Magento’s payment module, so OnePlus is not susceptible to the Magento’s inherent flaws.

What OnePlus has failed to shine light on is why users were pinpointing its website as the source of the wrong charges. However, as mentioned above we are expecting more from OnePlus on this subject in the days to come, as the company investigation unfolds.