Lush hackers cash in on stolen cards

Image caption,
Customers vented their feelings on the company's Facebook page

Cyber thieves are cashing in after stealing credit cards in a hack attack on the website of cosmetics firm Lush.

The online shop was shut down on 21 January and its home page replaced with a message revealing the attack.

Lush said anyone who placed an online order between 4 October and 20 January should contact their bank in case their card details had been compromised.

Many Lush customers have reported that their cards have been used fraudulently.

Comments posted on the Facebook page of Lush revealed that many customers were angry about the security lapse that may have spanned four months.

Many said they had lost money or had to cancel cards in case they were about to be abused. Some said Lush should have noticed the problem earlier and called for compensation for the money they have lost.

Security expert Rik Ferguson from Trend Micro said the sums of money the hackers were taking could be significant.

"I was initially alerted to the attack by one of my own friends whose card, along with her husband's, have subsequently been used to make fraudulent purchases totalling almost £6000 from well-known online retailers," wrote Mr Ferguson on the Trend Micro blog.

"The risk of these stolen card numbers being used by criminals has already moved from the theoretical to reality," he said.

Hilary Jones, ethical director at Lush, said the firm became aware of problems on Christmas day when hackers were discovered to have penetrated the site.

The site was taken down and did little trade between Christmas and New Year while Lush investigated to see if the hackers were merely mischievous or out to make money.

It became obvious that the hackers were after cash as European customers began reporting small purchases made with credit cards that had been used on Lush and other web shops.

Ms Jones said the small transactions were "test" purchases that thieves make to see if a stolen credit card is still live.

She said that when it became obvious that a lot of test purchases were being made and the Lush site was the key, the company shut down its store and told customers what had happened.

"As an ethical company we could not keep that information to ourselves," said Ms Jones. "We had to tell a huge raft of customers."

The four-month window that people needed to check was a safeguard to ensure all at-risk customers were covered, she said. The site was not vulnerable throughout that time.

"We really want to make sure we cover all possibilities," said Ms Jones. "We wanted to tell more customers than less."

The Lush website has been "retired" and a new online shop is set to appear in a few days but will initially only accept payment through Paypal.

Ms Jones said a forensic investigation was underway to find out how the thieves broke into the site.

Hack attack

The site, which helps people avoid speed cameras and road hazards, issued a warning to its 10 million users saying their e-mail addresses and passwords may be in the hands of attackers.

It said the attackers breached the site once and managed to get away with the data. Trapster's warning triggered a similar one by Twitter advising people to change their password and avoid using the same one on different sites.

The attack could mean that accounts on other sites get taken over by spammers and used to send junk mail.

In mid-December Gawker Media's revelation that its servers had been hacked and 1.3 million accounts had been compromised gave rise to warnings from Yahoo, Twitter, LinkedIn and World of Warcraft maker Blizzard asking people to change login details.

Related Internet Links

The BBC is not responsible for the content of external sites.