Cyber Incident Victim: OnePlus

On January 11, 2018, a user reported on the OnePlus forum that two credit cards used exclusively on OnePlus.net within the previous six months had unauthorized transactions. This initial complaint was followed by nearly 40 similar reports across Twitter and Reddit, with customers alleging fraudulent activity after making purchases on the smartphone manufacturer's website. Cybersecurity firm Fidus subsequently published analysis suggesting vulnerabilities in OnePlus's payment infrastructure, noting the site utilized Magento eCommerce—a platform with documented security flaws—and theorized payment data could be intercepted during transmission. Four days after the first report, on January 15, OnePlus publicly confirmed an active investigation into the card fraud allegations, acknowledging all complaints involved transactions processed through oneplus.net. The company's community manager stated they had initiated urgent inquiries while maintaining their website employed HTTPS encryption that would make traffic interception "very difficult."

OnePlus disclosed its website had originally been built on Magento but emphasized it transitioned to custom-coded infrastructure in 2014, asserting credit card processing never utilized Magento's payment module. Despite this claim, the company launched a full security audit and advised customers to monitor statements and contact banks regarding suspicious charges to initiate chargebacks. Fidus maintained its assessment of potential interception risks while clarifying it possessed no direct evidence confirming a breach. OnePlus continued urging affected users to report incidents to facilitate the investigation, which remained ongoing at the time of reporting without public attribution of responsibility or disclosure of impacted user numbers. The incident prompted widespread consumer warnings about payment security risks on e-commerce platforms.