allaboutwomen

Over the past three months, hackers have been repeatedly breaking into Lush's site to steal the details. Thousands of customers are at risk of losing huge sums. Anyone who shops online should think about online theft protection.

The Lush site has been taken down and now reads: "We are very sorry to confirm that our website has been the victim of hackers. 24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter. We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.

"For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised."

A consultant at security company Trend Micro, Rik Ferguson said he knew one person who had had a fraudulent payment of £1,700 on his or her credit card account after using the site.

"The risk of these card numbers being used has already moved from theoretical to reality," he said.

If Lush has failed to comply with security measures to keep credit card details safe, it could lose its authority to accept credit card payments at all.

Victims of the fraud have posted on Lush's Facebook page. One wrote: "We've had our card compromised and used in fraudulent transactions just three days ago. It has now been cancelled and we have no way to access our money."

Another victim wrote: "We used Lush's site back in late Nov. They must have been holding our details unencrypted since then."

Lush said: "We became aware in late December that www.lush.co.uk had been the subject of attacks by hackers.

"Our customers' security is of paramount importance to us and as soon as we realised this was the case, we immediately took down our UK website and a thorough investigation followed and extra security measures put in place."