OnePlus is investigating widespread reports of its customers confronting fraudulent activity on their credit accounts after purchasing a phone from the company.
A user-generated poll posted on the company’s community forum found that most who found fraud — a lot of it on gambling charges — had purchased their device within the last two months. Social media checks found that many of those customers were from the United Kingdom. Those using PayPal or another third-party processor were apparently not affected.
This morning, OnePlus only said that it is working with its partners to look into the issue and that affected customers should initiate chargebacks with their banks. The company says that it is auditing its custom HTTPS-encrypted payment platform. It also claims to have moved away from the CyberSource Magneto platform, a processing system targeted by a big vulnerability in 2015.
Third-party information security firm Fidus has since reported, though, that OnePlus is using the Magneto add-on to its custom on-site system. It posits two theories: either malicious script on OnePlus’s site was placed and then cleaned up or a bigger issue could lie with CyberSource itself.