Check your credit cards now - cosmetic company Lush hacked
If you ordered anything from cosmetics store Lush in the weeks leading up to Christmas - and up to yesterday in fact, you'll be wanting to check your credit card statements and call your bank. Several avid Bitterwallet readers have been in touch to say the online store's payments have been hacked - for the past three months.
Customers possibly affected, including reader Will, received an email from the business late last night:
We would like to draw your attention to the statement below, as we believe you placed an order with us during the affected period. We are keen for customers not to have their credit cards used fraudulently, so urge you to contact your bank.
Our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.
For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.
The Lush website has indeed disappeared, aside from a copy of the statement and a message to those responsible:
TO THE HACKER
If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers'.
Reader Jason points out a pattern of issues faced by customers on Lush's Facebook page - several have had their card details used to top-up O2 and Xbox accounts to the tune of several hundred pounds, while there have been claims of money been stolen outright. More worrying are claims that Lush may have already been alerted to the problem:
If you're a recent customer of Lush, you need to check your recent statements immediately and contact your card provider; the likelihood is that you'll need to cancel it since the details appear to be in the hands of a third party. Once your risk to fraud has been averted, you can ask Lush why it took them over three months to identify the problem and take action.