Lush customers should check their credit card statements – more websites hacked

Graham Cluley
Graham Cluley
@[email protected]

LushLush, the handmade cosmetics firm, has shut its Australian and New Zealand websites after hackers apparently gained access to online customers’ personal data.

In a statement posted on its website it “urgently” warns customers who have made online purchases to check with their banks to see if their credit card details have been abused.

It is less than a month since the firm had to issue a similar warning to its UK online customers.

Lush website message

Our website has been the target of hackers

We are sorry to have to announce that the Lush Australian and New Zealand websites have been hacked. We have been alerted today to advise us that entry has been gained and customer personal data may have been obtained by the hackers.

We urgently advise customes who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if cancelling their credit cards is advisable.

Whilst our website is not linked to the Lush UK website, which was recently compromised, it appears that the Australian and New Zealand Lush sites have also been targeted. As a precautionary matter we have removed access to our website while we carry our further security checks.

There’s some interesting wording in the advisory. For instance, Lush says that its Australian and New Zealand websites are not linked to the UK website, but it doesn’t say that they haven’t suffered from the same vulnerability that allowed the hackers to gain access on the British site.

Furthermore, you have to wonder if Lush was storing its customers credit card information with secure encryption if they are concerned that customers could find that their details are being abused.

Lush says that it has contacted the police regarding the incident, and will send emails to all customers that they believe may have been affected

Last month, Lush attempted to cheer the spirits of affected customers by sharing a video of puppet lemmings singing a song.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.