Forgot your password?
typodupeerror
Security Businesses Privacy United Kingdom IT

UK Cosmetic Retailer Lush Targeted By Hackers 109

Posted by timothy
from the people-are-bad dept.
Tasha26 writes "Cosmetic retailer Lush stopped its online activities on Jan 21 due to hacking activities. Their website is still down due to 'continuing attempts to re-enter,' and Lush is thinking of spinning a small PayPal outlet as a temporary solution. The company is urging customers who placed an order between Oct 2010 and Jan 2011 to contact their banks for advice on compromised credit card details. The company even posted a message addressed to the hacker, saying, 'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'"
This discussion has been archived. No new comments can be posted.

UK Cosmetic Retailer Lush Targeted By Hackers

Comments Filter:
  • Well, you could, that is, if you were able to get your hands on any fine Lush products, but now you can't, so I guess I'm not nonplussed after all.

    How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

    • by daid303 (843777)

      How long 'til we are required to use things like one-time credit cards, or maybe a single-use code from my Yubikey, or something else, for online purchases? Either that or cancel & change your credit card number every six months.

      There are alternatives. For The Netherlands we have iDEAL: http://en.wikipedia.org/wiki/IDEAL [wikipedia.org]

      It works very simple, you only authorize a single payment. They could scam you out of a single payment but that's it. I exclusively buy online at shops that support iDEAL. And that list is growing fast, Steam also supports iDEAL for half a year now, and Blizzard accepts it as payment method. The whole credit card setup is so stone-aged compared to this.

      Also note that I don't need to setup a different account or anyt

      • Agree, iDeal may not be the end all, be all, solution for online transactions but it's pretty solid, safe and simple.

        Currently I only do payments via iDeal or paypall only. My paypall accounts is empty most of the times. If I want to buy something via paypall I transfer the amount of money needed first and then make the transaction.

        • PayPal has instant transfers out of attached bank accounts available at least in the US.
          Then you don't have the delay of waiting for the transfer to clear and add to your account balance, then paying with your balance.

    • by cdrguru (88047)

      Your credit card will be compromised. It is a fact of life.

      Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people. Credit card companies do not prosecute - ever. So, even if someone is caught they aren't going to do any time.

      Magnify the opportunity and reward 1000 times for a credit card database.

      I do not know of anyone ever that had to pay for their credit card being used fraudulently. Generally I get a phone call asking i

      • Your average waiter in a restaurant can make an extra $50-100 a week by turning nice fresh credit card numbers over to the right people.

        That's it? Hahaha, suckers!

  • Oh come on... (Score:4, Interesting)

    by samcan (1349105) on Saturday January 22, 2011 @03:08AM (#34963360)

    It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

    • by Anonymous Coward

      Such is not always the case. Even if you run a top notch secure system, there will always be bugs and ways to compromise it.

      • Re:Oh come on... (Score:5, Insightful)

        by rtfa-troll (1340807) on Saturday January 22, 2011 @04:29AM (#34963648)

        A "top notch" IT team will have

        • offline backups
        • the ability to restore quickly
        • the ability to expand capacity quickly
        • the ability to do almost immediate updates*
        • basic forensic ability to work out what's going on

        Sure, your system may be compromised. Sure; the first replacement system may be compromised again. During the compromise of the second you should get enough logs that the third (or at worst fifth time) you come back, all the zero day attacks the attacker is using have gone.

        Anyone can lose a few hours of outage. To be down for a day and have to start begging for mercy is not a sign that their IT "skills are formidable"

        * at the cost of a short term outage;

        • by Nick Ives (317)

          Not if the "zero day attacks" are in the bespoke code for your website. Then you'd be in the situation of getting whoever wrote your code to to sort their mess out, which for a relatively small firm like Lush would probably mean dragging back in whatever lowest bidder contractor they used.

          • dragging back in whatever lowest bidder contractor they used.

            We are discussing here a "top notch" IT team.

            a) they wouldn't have used a lowest bidder in the first place

            b) once they know the URL they would be able to use one of the Apache filtering modules or a feature of their load balancer to block that URL

            c) once they captured the URL that caused the break in they could just fix the code themselves; being top notch they won't be using anything they don't have the code to.

            Even a slightly less than top notch company will have a support contract and in the case o

            • by jimicus (737525)

              The hackers have already demonstrated that they're probably a cut above the average script kiddie, insofar as they hacked the site to forward credit card numbers and this went unnoticed for a couple of months.

              There's a good chance that the IT team at the time this all blew up weren't sure exactly how the hackers got in in the first place. And if they were, they had evidence to suggest that attacks continued after the website was brought down and fixed. In which case, one line added to mod_security configu

        • by jimicus (737525)

          Lush isn't an IT firm, they're a cosmetics firm.

          I would be astonished if their IT staff are in-house - there's a very strong chance they outsource it all.

          • I was going to say that; if they are making most of their business online then they are an IT company; they just haven't realised it yet. However, it seems like in fact they probably do most business over the phone and in shops so I will actually say that it's good that they stood up and admitted what happened. Hopefully they learned and next time they'll get someone competent to run their online store.
            • by Ritchie70 (860516)

              I doubt much is online sales. The noxious fumes from their heavily scented products make a trip to Macy's highly unpleasant if you wander into the wrong part of the store.

              • Re:Oh come on... (Score:5, Interesting)

                by drinkypoo (153816) <martin.espinoza@gmail.com> on Saturday January 22, 2011 @12:17PM (#34965380) Homepage Journal

                Noxious fumes from heavily scented products? Have you actually smelled their products? It's probably the only thing in Macy's that won't make my airway tighten up instantly. I have asthma and that toxic bullshit that is in most body products makes me react immediately, whether I can actually smell it or not; and so much the worse if I can smell it, since my body has been trained to associate the toxic reaction with the artificial smell.

                My lady has Lush products and they are both less scented and less noxious than virtually anything else on the market. Stop with your FUD.

                • by Kazymyr (190114)

                  Second that. Fortunately my wife gets all of her Lush stuff in brick-and-mortar stores, not online.

                • by Ritchie70 (860516)

                  noxious/näkSHs/ Adjective: Harmful, poisonous, or very unpleasant.

                  I find Lush products to be noxious. My wife also finds their products to be noxious.

                  Lush sells a heavily-scented product line. If you don't believe that I don't know what to say.

                  It has some of the strongest, most intense scents I have ever encountered. I would rather stand down-wind from a hog farm than in an aisle full of Lush products.

                  If your lady has you convinced it's more lightly scented than other products, your lady is fucking wit

        • by AndGodSed (968378)

          A "top not" IT team will have a proper budget.

          Most of the things you mentioned cost money, and sadly most IT teams are the bastard children of management decisions as far as budget goes.

          It usually takes something like this before management decides to finally empower the IT team with some form of financial support for their IT needs.

    • "...if your salary weren't way above what us cheapskates are willing to pay!"

      Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

      • by 1s44c (552956)

        "...if your salary weren't way above what us cheapskates are willing to pay!"

        Unfortunately, people who are skilled in IT are lacking in salary negotiating skills. The end result is that some of them go to the dark side.

        No doubt there is some truth is that. However the smart guys work for the challenge not the money. I know plenty of rich crap people and plenty of smart non-so-rich people.

    • by Haedrian (1676506)

      or whether the guy who designed the kit was formidable.

    • by 1s44c (552956)

      It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't.

      Exactly. I'll bet the lush IT team consists of a few guys who might be reasonably smart but they just can't cover the amount of work they are meant to be doing. Management interference and other distractions most likely mean they could not keep track of all the work they should be doing.

      Unless they took the Microsoft route that is. Then they most likely employed a bunch of MCSE's who don't really understand technology, spent a fortune on windows servers and another fortune on active directory servers, and s

    • by Anonymous Coward

      "It's not a matter of whether the hacker's skills are formidable, it's a matter of whether Lush's IT team's aren't."

      No, it's whether they actually HAD an IT team, or whether they just paid for a website and expect it to run forever with their great management skills.

    • by Elentari (1037226)
      This is the forum post from their singular IT team member about the incident: http://img35.imageshack.us/img35/3715/lushpostuk.jpg [imageshack.us]
    • by Rogerborg (306625)
      No, really, the guy that beat me up was like seven feet tall. Also, there were three of him. All of them ninjas.
  • by cappp (1822388) on Saturday January 22, 2011 @03:09AM (#34963372)
    Weird. My ex always sent me off to increase my "online activities" whenever I made "continued attempts to enter".
    • Re: (Score:1, Funny)

      by kronosopher (1531873)
      "If you are reading this, our women would like to say that your talents are formidable. We would like to offer you a blowjob — were it not for the fact that your genitalia are clearly not compatible with ours or our customers."
      • by MichaelSmith (789609) on Saturday January 22, 2011 @04:14AM (#34963598) Homepage Journal

        'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

        Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          'If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job — were it not for the fact that your morals are clearly not compatible with ours or our customers.'

          Oh for fucks sake. Security isn't a battle against good or evil. The genius attackers are most likely using a simple exploit. An open mysql port or a conveniently informative log file. Fix your shopping cart you morons.

          MySQL? Looks like the port is open. Running 5.0.91 by the looks of it too.

          And they wonder why they were hacked.

          • by TheLink (130905)
            If you're unlucky, you might be accused of hacking them.

            Sometimes it's a good idea to stay clear of crime scenes.
  • Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed? If you're doing it for the fun of hacking, how much fun could it be to repeatedly hack a site that's obviously not very difficult to hack? Or is this just some juvinile delinquints trying to steal credit card details?

    • by jonbryce (703250) on Saturday January 22, 2011 @04:04AM (#34963562) Homepage

      They were doing it to steal credit card details. There are reports in the comments sections of various newspapers that they were using the cards to buy Telefonica O2 pay as you go credits. Presumably they then use these to phone premium rate numbers and cash out that way.

    • Re: (Score:3, Insightful)

      by coolmadsi (823103)

      Why were these teenagers hacking the Lush website anyway? Are they some sort of evil company that needs to be destroyed?

      I wouldn't really call them evil. They notified all their online customers that their details may have been compromised and to take precautions (my girlfriend was one of them), as opposed to keeping it quiet, not telling anyone, and hope everything blows over.

      My girlfriends often tells me how ethical they are as a company, they stopped using plastic packaging for their products wherever possible, and allow customers to return empty pots back to them for a discount on their next purchase (and they then re-u

      • by jimicus (737525)

        As its a cosmetic retailer, the only evil thing they do in my eyes is having all their strongly smelling soaps, bath bombs and other products out on display, so when I get dragged in with my girlfriend there's a wall of flowery smells to mess up with my breathing. Most girls don't seem to mind it though.

        That's the biggest advert they've got! You can smell one of their shops halfway down the street.

        • by BLKMGK (34057)

          Smells good to me. You can buy their soaps and your bathroom smells wonderful as well. I buy their stuff here in the States and like it actually. Is Lush Canada, Lush UK, and the Lush company here in the US all the same? I wonder what the other web sites are running... :-O

          • by jimicus (737525)

            Very much in so, they've openly admitted that they have been approached by people wanting to license/franchise the brand outside the UK where they're based and refused.

            • by BLKMGK (34057)

              Okay, well that makes sense. Here in the US I don't see them selling so much make-up like others have described as they do mostly natural bath products. I also don't see them in the likes of Macey's as has been described here. At least not that I've noticed. They DO have their own shops however and I've visited them at several malls and at an airport of all things. I always have some of their soap here and while I don't use it all the time the stuff smells great. I've actually found that when women smell it

              • by jimicus (737525)

                The Win2K web server was with an outside hosting company.

                I can't believe any self-respecting hosting company is still operating anything running 2K, so my money's on it being their own server in a colo (which is now an Apache server with United Hosting - who I don't think do colo so I'd imagine it's a case of "we need to move our site to something which we can be 100% certain hasn't been hacked 15 ways from sunday - only way to do that is to run it on a different server altogether").

                They do virtually no mak

  • by Dunbal (464142) *

    Someone thought that slashdotting the site would help more...

    • Well, after their servers experience a Chernobyl style meltdown from slashdotting, the hackers can't even get close enough to sift through the ashes! :-)

    • by coolmadsi (823103)

      Someone thought that slashdotting the site would help more...

      The site is mainly text with a couple of images. No adverts (I don't think). More likely to stand up to a large influx of visitors compared to a site that is half flashy adverts, due to transferring less data.

  • How do they ascertain customer's morals? Just because someone buys something from you doesn't mean they have good morals!

    What if the culprits turn out to be customers assisted by an employee? :)

    • by Dracula (27111)

      What if the culprit(s) turns out to be an employee?

    • by Anonymous Coward

      Consider that the customers are customers. That means that they pay money in return for products, as opposed to, say, stealing them. This might imply that the customers agree on "stealing is undesirable." Some might even extrapolate to "cracking servers is undesirable."

  • They specialise in handmade soaps and seem to be in pretty much every high street in the UK- Example: http://maps.google.com/maps/place?cid=10383864969614968362&q=lush&hl=en&sll=51.494368,-0.154123&sspn=0.049163,0.154324&ie=UTF8&ll=51.518891,-0.2314&spn=0,0&z=13 [google.com] You are more likely to get bath soap from them then eyeliner and you can smell the patchouli from one of their branches from quite a distance... Maybe their 'IT' team is in the same vein?
    • by Billlagr (931034)
      Australia too..I am greeted by the gently wafting smells every morning as I step out of the train station, on my way to work
  • by ebcdic (39948)

    The smell from their shops is so strong that it's actually unpleasant to stand at a nearby bus stop.

    • by Threni (635302)

      Exactly. If there were only some way of preventing the stores from opening and instead allowing customers to shop online...

      Having a page on eBay and Amazon is something a few companies are doing now. The sort of script-kiddies and spotty virgin bedroom boys who try and take sites down are too lame to be able to affect them, so you'd be safe.

  • Doesn't PCI:DSS forbid the storage of full credit card numbers?
    • by jimicus (737525)

      It does not, however, forbid taking the details in the first place. Which means that it'd be easy enough to slip a few lines into the shopping cart script that forward card details for every transaction to some hacker.

      Which would explain why they're only worried about customers who bought stuff in the last couple of months.

  • by Ian.Waring (591380) on Saturday January 22, 2011 @08:43AM (#34964320) Homepage
    My wife is a Lush customer, ordered online in the time period described and did have 2 £15 charges (total just north of $40) for prepay mobile phone credit debited from her account. She spotted that virtually immediately; however, her bank just wanted to snail mail post a claim form to her to get her money back, and O2 (the mobile phone company providing the goods from the fraudulent two transactions) said it was an industry agreed procedure to wait until the bank got in touch with them before they'd do anything. So, bottom line, the thieves have 5 days to use the credit they stole, when O2 could have invalided the transaction immediately and/or aimed some trace to the person using that mobile handset. About as much use as a cow on stilts. We need a Bill Bratton methinks. Follow the money, get to the source.
    • Re: (Score:2, Insightful)

      by cdrguru (88047)

      Why do you want credit card companies to persecute their customers? Shouldn't they be reaching out to their customers with a more friendly business model?

      You see, the way it works is the cardholder gets the stuff taken off their bill - usually no questions asked, it just happens. OK, so they want you to jump through some hoops for it, but it will happen no matter what.

      Then the credit card company charges back the purchase to the merchant. The merchant should have insurance to cover this sort of thing, so

    • Wow just yesterday my spouse got called by Amex because a (one single) charge appeared that fell outside her normal spending pattern and they suspended her card right away, told her she would not be charged the amount and told her a replacement card would be received within 5 business days.

      I used my business debit card for a sub $100 withdrawal, at an ATM in a branch of my bank, in a small town about 30 miles from where I normally do business. This set off some kind of alert and the fraud division called m

  • Their coconut soaps fantastic.

    Goes great with a bit of icecream and and grated dark chocolate.

    • I have this problem too - on initial inspection, and smell from a distance, I would far rather eat most of their products. Once you get close and smell the soap, the feeling goes away. I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.
      • > I'm thinking there's a market for a shop that sells actual foodstuffs modelled on some of the Lush products.

        Yeah, like speciality fudge or something.

        Don't think that the ingredients are that different, either. Replace the oil with butter, and add a bit of sugar :)

  • "We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

    Are these the same moral that allow Lush to charge premium prices for what is essential home made soap [wikipedia.org].

    • by poity (465672)
      I don't get it, how is charging premium prices a breach of morals? Do they have a soap monopoly?
    • by Skidborg (1585365)
      Restaurants charge a premium for what is essentially homemade food after all... if people are willing to pay for the convenience, why not let them?
    • by coolmadsi (823103)

      "We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers."

      Are these the same moral that allow Lush to charge premium prices for what is essential home made soap [wikipedia.org].

      I think its mostly hand made. Surprisingly human workers cost more than machines.

      Besides, most things of a 'premium' brand will have a large mark-up. I've heard that for trainers (sneakers? Is that the American term?) they don't get much better in quality past the £50 point, but companies still have ones that cost over twice that because if they didn't someone else would sell them for that much, and people would buy them (percieved high quality from spending more)

  • This example demonstrates precisely what can happen when a company which does not specialize in IT and the rigors of running a high traffic online storefront attempts to build same with an in-house crew or a band of hired consultants. Lush would have been much better off creating a storefront on Amazon and selling their products there. The readers of Slashdot will recall that Amazon threw off attempted DDOS attacks by Anonymous during the WikiLeaks affair without even breaking a sweat. My advice to Lush: go
  • It actually bothers me that they blame "oh noes teh hax0rz!!1!". As if there are all these evil hacker minions out there using their villainous technology to break in to sensitive systems. It's classic deflection of responsibility by generating fear of faceless bad guys.

    Windows 2000/IIS? Storing cc numbers as plain text in your online database? If you're gonna lay down next to fire ants, don't cover yourself in honey.

Things are not as simple as they seems at first. - Edward Thorp

Working...