Thousands of Lush Customer Details Stolen In Website Hack

Thousands of Lush Customer Details Stolen In Website Hack

UK cosmetics retailer Lush has been subject to a website attack over a period of four months, compromising thousands of customer records in the process.

According to The Telegraph, Lush has now closed the commerce section of the website and is contacting customers who placed orders between October 4 and January 20 prompting them to contact their banks at credit card details may have been compromised in the attacks.

If a visitor now accesses the Lush website, they will be met with the following message:


24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter.

We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.

Admirable on Lush’s part, admitting that it is unable to get to grips with the attack shows a willingness to protect its users, even if it is losing money as a result.

A new website is in development, with a temporary site launching in the next few days. The site will initially offer just PayPal payments to ensure security, whilst the company liases with police to press charges against the attacker.

As a final humourous aside, Lush has published a message to the hacker on its site:

“If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”

Read next: This can't be untold