What started as a report of suspicious activity in credit card account by a OnePlus user has finally revealed a massive data breach on oneplus.net website. So let’s get into the details of the hack and the resolution suggested by OnePlus Team.

Suspicious Activity Report

On 11 January 2018, a OnePlus user known by forum name superdutynick started a thread titled ‘Credit Card Fraud’. In the thread, he stated that his credit cards were used for a series of transactions without his knowledge and he suspects a breach on OnePlus website. To support his statement, he added that the only place he used his credit cards in the past six months was none one other than OnePlus website. Soon the thread got longer with replies from other OnePlus forum users who also reported suspicious credit card usage.

Investigation Of Fraud

Following this report, a team was deployed by OnePlus to investigate on any fraudulent activity. They also disabled the credit card payment on their store website as a precautionary measure. Meanwhile, an information security company named Fidus came up with a detailed explanation of how the theft might have happened. According to Fidus, the On-Site payment processing page of oneplus.net[https://oneplus.net/] was susceptible to sniffing attacks. Later the OnePlus team also came up with a statement matching the findings of Fidus.

OnePlus Confirms Credit Card Data Breach

Findings Of OnePlus
  • oneplus.net have been attacked and up to 40,000 users may be affected.
  • Malicious script was used to sniff out credit card info while it was being entered.
  • OnePlus have already quarantined the infected server and reinforced all relevant system structure.
  • Users who entered the credit card info on oneplus.net between mid-November 2017 and January 11, 2018 may be affected.
  • Users who paid with previously saved cards, Credit Card via PayPal and PayPal should not be affected.
Suggestions By OnePlus
  • All users should check the card statement and report any unknown transactions to the bank which will help to initiate a chargeback.
  • For enquiries, the OnePlus support team is available at oneplus.net/support.
  • If you notice any potential system vulnerabilities, please report them to security@oneplus.net.
Actions Taken By OnePlus
  • All potentially affected users were contacted by Team OnePlus via email.
  • OnePlus has apologized and thanked the user superdutynick for bridging the incident to their attention.
  • They are working to implement a more secure credit card payment method to prevent any future incidents.
Unanswered Questions

Even though the team has resolved the situation, users have to deal with credit card companies to initiate a chargeback. So a mere apology from the OnePlus team won’t compensate for this security issue which has been unnoticed for nearly three months. Moreover, the OnePlus store[https://oneplusstore.in] in India is using a similar On-Site payment processing page where credit card payments are still active. However, the only difference of this regional store is the payment processor which is PayU whereas, in oneplus.net, it is cybersource.

Remarks

OnePlus has been recently quoted by several security experts pointing out the vulnerabilities in their Oxygen/Hydrogen OS. Now with this credit card incident, it is evident that the team is lacking a sort of security assurance. We have nothing more to add, but if you’re interested to know the details of the credit card issue, refer – Credit Card Fraud, OnePlus Update, Fidus Findings. Hope the article was informative, Peace!

|