OnePlus has finally issued an official statement as more online buyers are coming out with stories that their credit cards received unauthorized transactions after purchasing a smartphone on the OnePlus website. The Chinese OEM says they are still in the process of investigating these cases but also assured customers that their credit card information is not stored in the website and that they do not have access to these details. They did encourage customers who experienced these unauthorized charges to report the cases to their banks immediately.
On a thread on the OnePlus forums, users were sharing that their banks began contacting them about suspicious charges and the only previous place where they used them online is to purchase something from the OnePlus website. As of this writing, there were already 73 customers on that thread alone claiming credit card fraud. It only seems to be affecting those who made direct credit card payments and not those that paid through PayPal.
OnePlus said that when you make a payment on their site, it is sent directly to a PCI-DDS-compliant payment processing partner and it is done so through an encrypted connection. If you saved the card for future transactions, this means your credentials are encrypted and OnePlus only receives a few digits for identification purposes and a token. But they will not be able to decrypt the token so they can’t access your credit card info.
Things are still in the process of investigating but based on their statement, we have this feeling that the ax will fall on that “PCI-DDS-compliant payment processing partner” as it seems like there was a breakdown in security somewhere there.