UK Lush website Hacked

Page 1 sur 3 1, 2, 3  Suivant

Voir le sujet précédent Voir le sujet suivant Aller en bas

infos UK Lush website Hacked

Message par tatyy le Ven 21 Jan - 13:42

Voici le message que j'ai reçu ce jour de la part de Lush UK:
We would like to draw your attention to the statement below, as we believe you placed an order with us during the affected period. We are keen for customers not to have their credit cards used fraudulently, so urge you to contact your bank.

Thank you for your past custom, we really appreciate all the support you give - especially at this time whilst we are under attack.

Everyone at Lush xx

********************************************************************************

Our website has been the victim of hackers.

24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter.


We refuse to put our customers at risk of another entry - so have decided to completely retire this version of our website.

For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised.

We Believe hacking is a serious crime which steals large amounts of money and disrupts the lives of cardholders.
We Believe that hacking erodes the trust between businesses and their customers and creates a climate of fear around online ordering.
We Believe in working with police and banks to do all we can to bring this branch of organised crime to justice.

A completely separate, temporary website will be launched in a few days - initially taking PayPal payments only.

Meanwhile we would be delighted to serve you in our shops or take your order at our Mail Order Phone Room. Both of which have not been affected by this crisis since the credit card terminals are directly linked to the banks only and are not internet based.

We would like to thank all our customers for standing shoulder to shoulder with us whilst we have shared being victims of this crime.
avatar
tatyy
Admin

Messages : 1501
Date d'inscription : 07/07/2010
Age : 40
Localisation : Hauts de Seine

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Oré le Ven 21 Jan - 14:19

J'ai reçu le même, mais j'ai remarqué que ce n'est pas vraiment sous format mail de la vpc, mais plutôt au format "newsletter" Rolling Eyes
avatar
Oré
Rock Star
Rock Star

Messages : 598
Date d'inscription : 30/12/2010
Age : 35
Localisation : LH

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par lamomecrevette le Ven 21 Jan - 14:30

Merci d'avoir mis le mail, car moi j'ai rien reçu (font de la sélection aussi pour les mails?)


Et tadaaaam, aujourd'hui, dans The Guardian:

http://www.guardian.co.uk/money/2011/jan/21/lush-website-hack-customers-fraud



Handmade cosmetics group Lush has admitted its website was hacked repeatedly by fraudsters over the past three months, putting thousands of customers at risk of having their card details stolen. But the company only informed customers last night.

Lush has taken down its website and replaced it with a statement: "We would like all customers that placed online orders with us between 4 Oct 2010 and 20 Jan 2011 to contact their banks for advice as their card details may have been compromised."

The beauty company warned: "24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter".

Customers will be unable to make purchases until a new site is launched "in a few days" accepting only PayPal payments, but orders are still being taken via its mail order telephone service, which the cosmetics group said had been unaffected by the "crisis". Customers who paid by card in Lush stores are also unaffected.

Lush posted a video of dancing lemmings alongside its statement to "try to share a smile" and added an amusing message for the hackers: "If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers".


Graham Cluley, senior technology consultant at computer and web security firm Sophos and a respected blogger on the subject, said: "If I were a customer of Lush's website I wouldn't feel like smiling this morning. It would certainly be interesting to hear when Lush first discovered that they had suffered from a security breach. Was it at the same time as they posted the message on the front page of their website, or have they known for a while longer?"

Many customers are also speculating why it took Lush so long to inform customers if the website was first hacked in October, especially as its statement indicates it has 24-hour web security.

One post on Twitter read: "So Lush knew they were hacked since Christmas and they've JUST decided to share the info? Disappointed, really am". Another Tweet said: "I don't care if Lush products are eco friendly or not. I care if they keep my bank details secure". Another claimed: "I still have my emails from Lush dated back to 2007 in which they admit to having serious glitches and 'gremlins' with their website".

Patrick Taylor, a Lush customer from Blackpool, told the Guardian: "Lush makes nice stuff and seems to be a cool company, but as soon as they noticed the hack they should have shut down the website and notified customers. Thousands of us will have been affected by this. My girlfriend is now having to check her credit card details."


Victims were also posting messages on the Lush Facebook page. One wrote: "We've had our card compromised and used in fraudulent transactions just three days ago. It has now been cancelled and we have no way to access our money."

There was also speculation as to how long Lush had been holding on to customer's financial data in an unsecure environment. One Lush victim said: "We used Lush's site back in late Nov. They must have been holding our details unencrypted since then."

'Security is of paramount importance'


In a statement Lush said: "We became aware in late December that www.lush.co.uk had been the subject of attacks by hackers. Our customers' security is of paramount importance to us and as soon as we realised this was the case, we immediately took down our UK website and a thorough investigation followed and extra security measures put in place.

"24-hour monitoring has shown that another attempt to hack our UK site has been made and again, we have taken down our UK website as a precaution.

"We are horrified that this has happened, we understand the distress of those affected and we appreciate our customers' continued support while we resolve the matter. We will be continuing to work with our credit card acquirer to carry out a full investigation in to this hacking attempt."

Lush has in the past been praised by green campaigners for not using animal fats in its products, as well as its stance against animal testing – it performs tests with human volunteers instead. The group has also sold products that pass on the full purchase price to charities, as well as promoting various charities on its product packaging.

Loyal customers are defending the company and praising it for the way its statement was written. One Twitter user wrote: "I like the way Lush is handling the hackers that have shut down its online trading". Another wrote: "Some horrible people have hacked Lush website … they need to get a life and leave the lovely peeps at Lush alone".

Cluley said Lush appeared to be adopting a "social media response" to the security breach. "Although the news for customers is very worrying, they are trying to present the news in a warm-and-cosy way," he said. "I do wonder, however, how well customers will take news that their credit card details may have been compromised – and may not appreciate Lush's attempts to smooth the waters."

He added that it would have been more helpful if Lush had linked to information showing people how to tell if their credit card is being abused and the next steps affected customers should take. Instead, Lush customers are merely advised by the company to contact their bank or credit card provider for advice.

avatar
lamomecrevette
Doigts de fée
Doigts de fée

Messages : 475
Date d'inscription : 13/01/2011
Age : 31
Localisation : Brest

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Oré le Ven 21 Jan - 14:38

tu reçois les newsletters Lamomecrevette ou pas ?

Merci pour l'article !
avatar
Oré
Rock Star
Rock Star

Messages : 598
Date d'inscription : 30/12/2010
Age : 35
Localisation : LH

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par tatyy le Ven 21 Jan - 14:41

+1, merci beaucoup pour l'article!
avatar
tatyy
Admin

Messages : 1501
Date d'inscription : 07/07/2010
Age : 40
Localisation : Hauts de Seine

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par lamomecrevette le Ven 21 Jan - 14:56

Oré a écrit:tu reçois les newsletters Lamomecrevette ou pas ?

Merci pour l'article !

Non, je ne la reçois pas!

J'ai juste des news de la vpc fr et je suis sur Facebook (Lush Limited et Lush France).
Et j'attends depuis la St Glin-Glin, qu'on daigne activer mon compte sur le forum Lush Uk...

Sinon pour l'article, je l'ai trouvé sur Facebook, une fille l'a posté (ça fait moins classe d'un coup! Ca faisait la fille qui lisait The Guardian, grillée ).
avatar
lamomecrevette
Doigts de fée
Doigts de fée

Messages : 475
Date d'inscription : 13/01/2011
Age : 31
Localisation : Brest

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par mimipeanuts le Ven 21 Jan - 15:29

Tatyy tu es au courant qu'il y a un topic dans "Coup de gueule" ?
avatar
mimipeanuts
Sirène
Sirène

Messages : 4933
Date d'inscription : 14/07/2010
Age : 28
Localisation : Genève

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par lucix le Ven 21 Jan - 17:28

Je vais le transformer en annonce dans la rubrique "évènements Lush" afin que les non-inscrits puissent y jeter un coup d'oeil.

_________________
sex, lush & rock'n roll
avatar
lucix
Admin

Messages : 4747
Date d'inscription : 06/07/2010
Age : 37
Localisation : région centre

http://lushaddictsanonymes.forumactif.com

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sheena le Lun 24 Jan - 10:05

Vous savez s'ils vont faire un geste pour les filles qui se sont faites pirater ?
Parce que moi, c'est 580€ envolés, je suis à découvert, le temps que ma banque me rembourse, mais c'est long ... (et j'ai dû reporter un week-end à l'étranger avec mon copain - son cadeau de noel - parce que je ne pouvais plus le payer...).

Sheena
Pousse plus vite !
Pousse plus vite !

Messages : 33
Date d'inscription : 24/01/2011
Age : 30
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par clemce76 le Lun 24 Jan - 10:12

Alors en fait la vpc française a fait un geste, car beaucoup qui s'étaient fait piratées n'ont pas eu de réponse de la vpc Uk donc ont été en parler a la vpc fr, qui a repondu et proposé d'envoyé un petit cadeau a celles qui avaient envoyer un message. Mais ils ne le font plus mais le geste était très commercial sachant que ce n'était pas la faute de leur site. Pas de chances pour toutes tes mésaventures Bon courage
avatar
clemce76
Impérialis
Impérialis

Messages : 3416
Date d'inscription : 30/12/2010
Age : 26
Localisation : Rouen

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sheena le Lun 24 Jan - 10:19

Oui, j'ai écrit à la VPC française trop tard.
Et j'ai écrit à la VPC anglaise, ils viennent de me renvoyer un mail copié/collé qui ne correspond même pas à ce que je leur dis dans mon mail, et qui ne correspond pas au niveaux des dates...
En gros, ils s'en foutent.
J'avais commandé pour 230€, je pense que c'était mes derniers achats Lush...

Sheena
Pousse plus vite !
Pousse plus vite !

Messages : 33
Date d'inscription : 24/01/2011
Age : 30
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par clemce76 le Lun 24 Jan - 10:23

:S c'est dommage !! Je pense qu'ils doivent repondre a tout les messages en meme temps mais bon ils pourraient au moins changer les dates et ajouter un message personnalisé pour répondre aux questions.
avatar
clemce76
Impérialis
Impérialis

Messages : 3416
Date d'inscription : 30/12/2010
Age : 26
Localisation : Rouen

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sheena le Lun 24 Jan - 10:28

Je suis quand même très déçue qu'ils aient attendus fin janvier (donc après noel, et après les soldes) pour annoncer la fraude, alors qu'ils étaient forcément au courant, puisque des clientes l'ont signalé dès fin décembre...
En gros, l'éthique semble s'arrêter là où le chiffre d'affaires commence à être menacé. C'est très decevant venant de Lush.

Sheena
Pousse plus vite !
Pousse plus vite !

Messages : 33
Date d'inscription : 24/01/2011
Age : 30
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Winnie le Lun 24 Jan - 10:53

Oh Sheena, c'est clair que c'est vraiment difficile pour vous !!!

On a pas plus de nouvelles concernant un éventuel dédommagement, je te reposte le dernier message qui a été fait au nom de Lush sur le forum anglais qu'Oré a posté hier

Oré a écrit:Je reviens du forum uk, où Hilary a ajouté quelques précisions sur le piratage :

I've been in on some meetings today to clarify what I can and can't say at this stage.
It isn't because we are trying to hide anything - just that we don't want to jeopardise anything or step too far from the advice we are given.

So some things that we can say and might be helpful to know:

These hackers typically operate from a core of countries across the world, hack, then sell the data on.

The criminal buyers can use that data immediately or can hold on to it for some time ( sometimes for many many months, we are told ) before attempting to use it.

They often do small test purchases, then go on to do larger ones if these clear unchallenged.

Regarding the questions about the type and nature of hacking that we have had :
Until the full external forensic investigation has been done, which we set into motion after the events over Xmas, we will not be able to answer the questions regarding the dates, type of hacking and data theft that has happened. Our web team have done their bit, but we do not want to preempt the full results of the proper investigation. It will be a PFI investigation, which will go to our web team and the banks and credit card companies and will help us know the full details of the breach and learn from it for our new website.

We first became aware of website problems on Xmas Day. By Boxing Day we were aware of unauthorised entry and immediately took the website down. It remained down until extra security had been added and 24 hour monitoring put in place, including direct mobile phone alerts to our webteam.

We did not know that the entry to our site had been credit card data related, we merely knew that someone had entered the site - which did not necessarily mean data had been compromised. We initially took the site down on Boxing Day because any entry was enough for us to not continue trading on it until assessment had been made.

The first reports to us of fraudulent credit card use came from our French customers on a thread in this forum. We asked for full details to be emailed to us so we could investigate and take this further.

Up until Tues of this week, we had 43 customers email a report of fraudulent use of credit cards to us. First official confirmation of these definitely having come from transactions on our website was received this week.

Once we knew the data was from transactions through our website, we wanted to act quickly to ensure that we did everything we could to prevent this happening to any further customers.

We decided that the website should come down again until the external security audit could be completed.
We sought advice from various experts in this field and were told, by more than one agency, that removing the website is not normal procedure in our circumstances. Taking our website down and going public was described to us as 'an unusual and courageous decision' and that it is 'not unusual to trade on through' and say nothing as many companies fear the 'loss of face'.

The Oct to Jan warning date has been decided because we wanted it to cover a larger period than we think has been exposed. We hope we are erring very much on the side of caution here. We would rather notify more customers than required, than find out in retrospect that we had narrowed it and missed people.
The reason the warning date was extended forward to Jan since the first announcement was because one customer has come back to us reporting a fraudulent use of a card that was used on our site in Jan ( since the extra security was added ) and again, we did not want to take any risk of under warning other customers.
The window of time that our banks are reporting back to us of confirmed fraudulent transactions on cards is very much shorter than these dates - but again, we do not want to sit back and rely on the current reports being the whole picture.

Once it was confirmed that we were a source of data compromise, we wanted our customers to be able to talk to their banks and cancel cards if advised - and thereby be able to avoid the disruption to their lives. Since our email alert went out (to all customers between Oct and Jan) we have had lots of customers come back to us and say they have checked their statement after reading the email, and spotted small test usage. Some on here are also reporting larger purchases appearing on their statements. Our French customers too have been subjected to large purchases. Each and every one of these is genuinely heartbreaking to us and we would never wish to have had this happen to you through our website.

We do not have full information on the numbers affected, because we only know of the ones who have reported back to us. Meanwhile, the banks will be compiling a full list of fraudulent uses tracked back to us.

We will be looking very hard at the external report to prevent any future weaknesses and have booked external checks of the new website that was currently under construction before this recent crisis hit. So we have two things happening - external companies looking back over the past website to see where and how the breach happened, and also looking forward at the new website before it goes live to check for future robustness.


I think this answers most of the outstanding questions that I have spotted in this and other threads. I hope you understand that we are trying to give as much info as we safely and accurately can. All of you on here know Big, Tony and myself and will understand that over the last few weeks holding back from telling stuff has been the hard thing, as we have waited for events to unfold and confirmation to come back. It is a relief to finally be able to put more of the info out here.

Tony has been on the phone to me this evening to say that he is without internet access but wanted me to say to you that he is sorry that all the back scene stuff has kept him away from the forum today, but that he will make sure he is at Mail Order all day tomorrow near a phone should anyone need him.

Thank you all again for the support you have shown us this week. I hope you realise that we really don't take you guys for granted and the well wishes we have received from you have been much discussed and appreciated all across Lush Towers over the last few days.


hilary @ Lush


Sinon il faut savoir que "l'éthique" de Lush, c'est quand même beaucoup beaucoup de marketing malheureusement No

J'espère que tu seras remboursée rapidement !
avatar
Winnie
Rock Star
Rock Star

Messages : 1268
Date d'inscription : 08/07/2010
Age : 33
Localisation : Montgiscard (31)

http://www.coinderue.wordpress.com

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sheena le Lun 24 Jan - 11:10

Ils sont gentils, mais leur mail c'est un peu du blabla, parce qu'ils ont su le 24 decembre pour l'instrusion et ont mis presque un mois pour fermer le site et prévenir les gens...

Pour ma part les débits ont été fait entre le 24 et le 27 décembre, il va me falloir encore un bon mois avant d'être remboursée...

Et c'est clair que le côté éthique à tout va, ça m'a rebutée au début, quand toutes mes copines tentaient de me convertir... mais après j'ai testé les produits et j'ai plongé ahah !

Sheena
Pousse plus vite !
Pousse plus vite !

Messages : 33
Date d'inscription : 24/01/2011
Age : 30
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Winnie le Lun 24 Jan - 11:26

Je crois qu'on a toutes le même problème, on sait que c'est du blabla autour mais bon les produits ont des qualités qu'on ne trouve pas ailleurs et sont puissamment addictifs...
avatar
Winnie
Rock Star
Rock Star

Messages : 1268
Date d'inscription : 08/07/2010
Age : 33
Localisation : Montgiscard (31)

http://www.coinderue.wordpress.com

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par clemce76 le Lun 24 Jan - 11:42

Surtout le coté addictif Tiens moi par exemple je suis pas très contente pour ce qu'il sait passé sur leur site mais je vais blinder un panier au magasin tout a l'heure ... parce que j'ai -10%
avatar
clemce76
Impérialis
Impérialis

Messages : 3416
Date d'inscription : 30/12/2010
Age : 26
Localisation : Rouen

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par tatyy le Lun 24 Jan - 11:47

Je n'arrive pas à acceder au forum lush UK, c'est normal?
Bonjour Sheena et bienvenue sur le forum (désolée de voir que tu fais aussi partie des piratées de la CB). Il y a untopic présentation dans lequel nouveaux arrivants/inscrits se présentent et un topic sur les piratages de carte bleue dans la rubrique "coups de gueules!" bonne journée et au plaisir de te lire! Wink
avatar
tatyy
Admin

Messages : 1501
Date d'inscription : 07/07/2010
Age : 40
Localisation : Hauts de Seine

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par lucix le Lun 24 Jan - 13:15

Tatty, elle ne pourra pas accéder à la rubrique "coups de gueule". Pas maintenant en tous cas.

_________________
sex, lush & rock'n roll
avatar
lucix
Admin

Messages : 4747
Date d'inscription : 06/07/2010
Age : 37
Localisation : région centre

http://lushaddictsanonymes.forumactif.com

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par tatyy le Lun 24 Jan - 13:29

Oki je savais pô.
avatar
tatyy
Admin

Messages : 1501
Date d'inscription : 07/07/2010
Age : 40
Localisation : Hauts de Seine

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par lucix le Lun 24 Jan - 13:31

hihihihi C'est pas grave.

_________________
sex, lush & rock'n roll
avatar
lucix
Admin

Messages : 4747
Date d'inscription : 06/07/2010
Age : 37
Localisation : région centre

http://lushaddictsanonymes.forumactif.com

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sheena le Lun 24 Jan - 15:24

Ok, je vais me présenter de ce pas ^^

Sheena
Pousse plus vite !
Pousse plus vite !

Messages : 33
Date d'inscription : 24/01/2011
Age : 30
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sophienet le Jeu 27 Jan - 20:27

A votre avis ça prends combien de temps de refaire un site avec une sécurité renforcée? Je m'impatiente Very Happy
avatar
Sophienet
Impérialis
Impérialis

Messages : 3153
Date d'inscription : 14/07/2010
Age : 31
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par lucix le Jeu 27 Jan - 20:32

Moi aussi j'en ai marre ! cheese

_________________
sex, lush & rock'n roll
avatar
lucix
Admin

Messages : 4747
Date d'inscription : 06/07/2010
Age : 37
Localisation : région centre

http://lushaddictsanonymes.forumactif.com

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Sophienet le Jeu 27 Jan - 20:43

En plus je suis tellement une quiche en informatique, je peux même pas imaginer combien de temps ça prends!
J'étais persuadée qu'en un ou deux jours ce serait fait, mais là ça commence à s'éterniser... Et j'imagine le pire! Imaginez on peut plus commander hors Uk hein? On va devenir quoi nous si on est condamné à la VPC et aux boutiques? On va devenir très pauvres, c'est tout Razz
avatar
Sophienet
Impérialis
Impérialis

Messages : 3153
Date d'inscription : 14/07/2010
Age : 31
Localisation : Paris

Revenir en haut Aller en bas

infos Re: UK Lush website Hacked

Message par Contenu sponsorisé


Contenu sponsorisé


Revenir en haut Aller en bas

Page 1 sur 3 1, 2, 3  Suivant

Voir le sujet précédent Voir le sujet suivant Revenir en haut

- Sujets similaires

 
Permission de ce forum:
Vous ne pouvez pas répondre aux sujets dans ce forum