Lush customers should check their credit card statements – more websites hacked

Graham Cluley
Graham Cluley
@[email protected]

LushLush, the handmade cosmetics firm, has shut its Australian and New Zealand websites after hackers apparently gained access to online customers’ personal data.

In a statement posted on its website it “urgently” warns customers who have made online purchases to check with their banks to see if their credit card details have been abused.

It is less than a month since the firm had to issue a similar warning to its UK online customers.

Lush website message

Sign up to our free newsletter.
Security news, advice, and tips.

Our website has been the target of hackers

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customes who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry our further security checks.

There’s some interesting wording in the advisory. For instance, Lush says that its Australian and New Zealand websites are not linked to the UK website, but it doesn’t say that they haven’t suffered from the same vulnerability that allowed the hackers to gain access on the British site.

Furthermore, you have to wonder if Lush was storing its customers credit card information with secure encryption if they are concerned that customers could find that their details are being abused.

Lush says that it has contacted the police regarding the incident, and will send emails to all customers that they believe may have been affected

Last month, Lush attempted to cheer the spirits of affected customers by sharing a video of puppet lemmings singing a song.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.