Forum Home» Health & Beauty MoneySaving

MSE News: Fraud risk for thousands after Lush website hack

New Post Advanced Search

MSE News: Fraud risk for thousands after Lush website hack

edited 30 November -1 at 1:00AM in Health & Beauty MoneySaving
25 replies 4.1K views
MSE_GuyMSE_Guy MSE Staff
1.7K posts
I've been Money Tipped! Newshound! Chutzpah Haggler
edited 30 November -1 at 1:00AM in Health & Beauty MoneySaving
This is the discussion thread for the following MSE News Story:

"Thousands of shoppers who ordered online cosmetics over the past three and a half months could have had their card details stolen. ..."
OfficialStamp.gif

This thread is to discuss this news story. Another thread on the topic was started last night.
«13

Replies

  • ShaneUKShaneUK Forumite
    1.1K posts
    Part of the Furniture Combo Breaker
    ✭✭✭
    Congratulations to Lush on taking down the WHOLE website - and stopping all online orders until rectified.

    I love their comment to the hacker as well!!
  • "For complete ease of mind"

    Well if that is its concern, it could share what it knows about how many cards and why just it's UK website - Lush.fr for example is still trading.
  • Gordon_the_MoronGordon_the_Moron Forumite
    1.5K posts
    Part of the Furniture 1,000 Posts Combo Breaker
    ✭✭✭
    I love the comment to the hacker too :-)
    If you don't like what I say slap me around with a large trout and PM me to tell me why.

    If you do like it please hit the thanks button.
  • JestharJesthar Forumite
    1.5K posts
    oakhouse13 wrote: »
    "For complete ease of mind"

    Well if that is its concern, it could share what it knows about how many cards and why just it's UK website - Lush.fr for example is still trading.
    Speaking as a professional Systems Administrator, I would say that:

    1. If you are unfortunate enough to suffer a security breach, openly advertising to the hackers just how successful or otherwise they were is NOT a good idea. It tends to encourage both them and others of their ilk.

    2. From the information we have, it sounds like only the UK site has been targetted. The websites in country are almost certainly hosted and maintained independently within that particular company, not all run from one central location. Given that Lush will now know how the attack was executed, they can update and protect the other sites as required to prevent a similar attack from succeeding there. The problem with the UK site now is not protecting it against another similar attack, but that the code of the website itself could have been fatally compromised with backdoors and other snoopware by the hackers. Better to pull it, bin it and start again, even though a lot of work is involved in that.

    And Lush have done just that, so kudos to them for handling a nasty situation with both decisiveness and a sense of humour! :)
    Never underestimate the power of the techno-geek... ;)
  • corbyboycorbyboy Forumite
    1.2K posts
    Part of the Furniture
    ✭✭✭
    Getting your website hacked is just one of those things that happens now and again.

    But if I were a Lush customer I would be demanding to know why credit card numbers are being stored on their database. What business do they have keeping a record of these numbers?
  • gould300gould300 Forumite
    26 posts
    Part of the Furniture 10 Posts
    Well I'm one of those affected - this morning someone, somewhere added £1,000 to my credit card balance - according to my card provider it was from a clothes shop (though they didn't stipulate which one). They've suspended my card and the fraud team will be contacting me tomorrow to discuss it.

    Though mistakes happen it seems to have taken lush the best part of a month to tell it's customers. Looks like this second round of attacks attracted the attention of someone there who thought it might be wise to mention it. Incompetent muppets.
  • vikingaerovikingaero Forumite
    10.9K posts
    Part of the Furniture 10,000 Posts Combo Breaker
    ✭✭✭✭✭
    Jesthar wrote: »

    And Lush have done just that, so kudos to them for handling a nasty situation with both decisiveness and a sense of humour! :)

    So "decisiveness" is over 3 weeks in the IT industry? Seems like Lush knew for a while and didn't want to compromise their Xmas and New Year sales. Any other company and they would be slated, but because it's "ethical and lovely" Lush they can do no wrong?
    The man without a signature.
  • The other day I posted on the o2 scam page as money had been taken from my account. As I ordered online with Lush in December, I wonder if they are linked?
  • CatslovelycatsCatslovelycats Forumite
    1.7K posts
    1,000 Posts Combo Breaker
    ✭✭✭
    I got one of their warning emails and am a bit out out that they didn't shut it straight away.
    I wonder if this problem is linked in any way with when they shut the website down when the sale was on.
    Not sure I shall want to buy online form them again after this. However much they are/aren't to blame.
    It's certainly made me think twice about online shopping in general.
    I check my cc balance everyday as it is and shall be continually doing now.
  • CatslovelycatsCatslovelycats Forumite
    1.7K posts
    1,000 Posts Combo Breaker
    ✭✭✭
    gould300 wrote: »
    Well I'm one of those affected - this morning someone, somewhere added £1,000 to my credit card balance - according to my card provider it was from a clothes shop (though they didn't stipulate which one). They've suspended my card and the fraud team will be contacting me tomorrow to discuss it.

    Though mistakes happen it seems to have taken lush the best part of a month to tell it's customers. Looks like this second round of attacks attracted the attention of someone there who thought it might be wise to mention it. Incompetent muppets.

    hope it all gets sorted for you quickly
This discussion has been closed.

Quick links

Essential Money | Who & Where are you? | Work & Benefits | Household and travel | Shopping & Freebies | About MSE | The MoneySavers Arms | Covid-19 & Coronavirus Support