Users who used their credit cards to buy Oneplus device from the official Oneplus’s site should immediately contact their bank because hackers are trying to steal your credit card information. This flaw is reported by customer who said two of his credit cards were suspected of some fraudulent activities. He added, “The only place that both of those credit cards had been used in the last 6 months was on the Oneplus website.”
Later that, some users also posted on twitter and reddit forums, that they noticed some fraudulent activities in their credit cards after buying new phone and accessories from the Oneplus’s official website.
Security researchers at Fidus firm published some details about this breach in which they wrote the information of all the credit cards of users are flows through the Oneplus official website because all the transactions are conducting by the company and these transactions are captured by hackers.
“Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus wrote.
After taking look on report, Fidus clarify that their findings did not confirms that the data of Oneplus website is not breached rather it suggests where the attacks might have come from and after researching, it seems the weakest link might be the Magento eCommerce platform.
Oneplus responded on this issue that they don’t store any credit card information of user until they check the save credit for future use option which is featured in Oneplus site and this option is encrypted by token mechanism system. They also said all the transactions processes are carried out through its PCI-DSS compliant payment process partner.
“Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit,” a company’s staffer using the name ‘Mingyu’ wrote.
Oneplus didn’t posted more information about this issue and confirms that Oneplus.net was truly build on the Magento e-commerce since 2014 but it was re-built with custom code, adding that “credit card payments were never implemented in Magento’s payment module at all.”
There are 100 of users who posted about their information leak report on Oneplus website and the company announces that they take strict investigation on it and recommends users to reverse their amount by contacting their banks.