The incident came to light when on the OnePlus support forum on January 11 from a customer who said two of his credit cards used on the phone maker’s official website showed signs of fraud. “The only place that both of those credit cards had been used in the last 6 months was on the OnePlus website,” he wrote. Once this claim was made, several complaints were later posted to Twitter and Reddit that reported the same misuse of credit card. Meanwhile, security experts over at a company called Fidus Information Security have published their own blog post explaining the alleged issues with the OnePlus website’s payment system. According to the firm, OnePlus is currently using the Magento e-Commerce platform, which is a common platform for credit card hacking and is known to contain cybersecurity flaws for at least two years. “The payment page which requests the customer’s card details is hosted ON-SITE and is not an iFrame by a third-party payment processor. This means all payment details entered, albeit briefly, flow through the OnePlus website and can be intercepted by an attacker. Whilst the payment details are sent off to a third-party provider upon form submission, there is a window in which malicious code is able to siphon credit card details before the data is encrypted,” Fidus says. Adding further, Fidus said, “Card payments are handled by CyberSource, the processing form is still hosted on the OnePlus infrastructure. If an attacker had write access to this page, JavaScript could have been inserted to compromise data entered into CyberSource’s payment form on the client-side.” While it is not clear whether the company is to blame, OnePlus published a forum post on Monday explaining how its payment system works and confirming an investigation into the matter. It revealed that each of the reports included customers who made card payments at oneplus.net. OnePlus, further stressed that the credit card processing doesn’t take place on its website. “Your card info is never processed or saved on our website – it is sent directly to our PCI-DSS-compliant payment processing partner over an encrypted connection, and processed on their secure servers. Our website is HTTPS encrypted, so it’s very difficult to intercept traffic and inject malicious code, however we are conducting a complete audit,” a spokesperson wrote on OnePlus’s official forums. “If you suspect that your credit card info has been compromised, please check your card statement and contact your bank to resolve any suspicious charges. They will help you initiate a chargeback and prevent any financial loss,” the statement continued.