back to article Lush website hack 'exposes credit card details'

Luxury cosmetics firm Lush has ditched its UK website in response to a sustained hacking attack which left users vulnerable to credit card fraud. The firm warns that credit card details submitted to the Lush.co.uk site between 4 October and 20 January may have been compromised by the assault by unknown hackers. Customers are …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Why on earth...?

    As someone affected by this, I want to know why my card details were being stored in cleartext, rather than being encrypted. Having an SSL link to pass my details when shopping is bugger all use if they're going to held in-the-clear on a server at the other end. Not even a basic hash...?

    1. Mark 65

      I wouldn't worry about the hashing

      They're probably printed out on a nightly report that either gets left on a desk for the cleaners or chucked in the normal waste.

    2. Anonymous Coward
      Anonymous Coward

      Clear or not...

      They may not have been stored in the clear, but there would need to be a system to decrypt them, maybe this was hacked too?

      1. This post has been deleted by its author

  2. Tom_

    Credit Card Details

    I hope their expanded explanation will cover their reasoning for storing unencrypted card details.

  3. The Mole

    Retiring

    I can just imagine the development log:

    Site

    Version 1.1.23 Hacked

    Version 1.1.24 Added one line fix to close security hole.

    Version 1.1.25 Changes CSS skinning slightly so site looks subtly different

    Version 2.0.0 UpperManagement decided old site must be 'retired' so upped version number to 2.0.0 and have told upper management that it is a new website (pointed at the slightly different colours and page layout when they questioned this)

    1. Pete 2 Silver badge

      an uneducated guess

      Once the website went live, they "retired" the person who developed it (or their mum won't let them do any more freelancing until the school holidays). Now they need to get their security sorted out that person, or the Post-It they wrote the documentation on, is no longer available.

  4. Anonymous Coward
    WTF?

    ex-squeeze-me

    PCI-DSS ?

    having had to work throught this forwards and backwards across all our operating companies setups, I can't see how on earth this is even possible. Which means Lushs payment handler will make them foot the bill for any breaches.

    1. Anonymous Coward
      Anonymous Coward

      Unencrypted car details?

      I hope someone is recreationally fired for that mistake.

      I *think* if the card issuers find the data has not been held securely they can not only force Lush to cover the losses, but they can refuse to offer card services to the company.

      1. Anonymous Coward
        Anonymous Coward

        No card services

        that is probably the reason the article states that the new site will initially only be accepting paypal as a payment option.

        I know that in systems I work with the card details (number, dates & cvn) are never written to the server, the only thing that gets written is the last 4 digits of the card number, the card type, the outcome of the transaction and the transaction reference number (example 3754,Visa,Success,1/35325/234)

  5. LinkOfHyrule
    Coat

    da bomb

    I like their bath bombs - terrific stuff! But their on-line customer safety strategy stinks!

  6. dave 46
    WTF?

    a complete rewrite?

    Its the only way, all that shiny new code will be free of bugs and vulnerabilities, new code always is.

    Isn't it?

    1. Elmer Phud
      FAIL

      and

      It also implies that as they are pulling the whole lot and not just taking it down to fix it then the site was awful to start with.

      So, who signed off the original?

      Who didn't test it? (are there not tools for this?)

    2. serviceWithASmile
      Flame

      i say

      we take off and nuke the site from orbit.

      it's the only way.

  7. Anonymous Coward
    Stop

    Tat seller = Good back office? Not!

    What incentive would a vendor of over-perfumed tat (what the fuck do we need bath bombs for?) have to prudently look after other people's credit card details?

    1. LinkOfHyrule
      Joke

      wtf do we need bath bombs for

      "what the fuck do we need bath bombs for"

      Um, excuse me but they actually make for great bath plug-hole blockers!

  8. Anonymous Coward
    FAIL

    hmm interesting

    Got the email this morning, I like the way they came clean...(no pun intended) their original site sucked and the payment side hardly worked at all, seemed to be based on Joomla and virtuemart, put together by a college kid.

    Anyway, took the chance (wife, xmas etc) and got stung by it.. loads of xbox live payments, online gambling and a personal dating site which just about sums up the pricks that did the hack. Few other transactions which appeared to be from around the Poole area so this would link up with where Lush are based, maybe an inside job???

    Bank typically dont give a shit, but from the transactions it doesnt look particularly difficult to track these twats down if they pulled their finger out.

    1. Anonymous Coward
      Anonymous Coward

      Bank follow-up

      Someone used my credit card details to buy a Sports Illustrated magazine subscription. I used the reference details on my credit card bill to log in to the guy's account on the Sports Illustrated website and get the subscription delivery address in Colorado - presumably the perp's home address. I live in the UK but I had used the card in a nearby Gap store in Colorado shortly before.

      So I called the bank again to give them the address, but their response was total disinterest. I think they're only interested if there's a bonus in it for them.

      1. SirTainleyBarking
        Grenade

        Denver PD would presumably be rather interested

        They even have the phone number on the website

        http://www.denvergov.org/Default.aspx?alias=www.denvergov.org/police

        A nice simple collar for them, helps up the crime solving stats, could uncover something better.

        They might even send you some free doughnuts as a thank you

  9. Tatsky
    FAIL

    RE: PCI-DSS

    Having also been through PCI, with several providers and setups I also cannot see how this is possible. Surely the most basic vulnerability tests would have picked this up?

    When filling out the SAQ did they just skip past the bit about the security or encryption around their database. Did they even declare that they store these details? That should have unleashed a world of hurt with their PCI.

    I for one will always go down the route of never touching, seeing or being anywhere near a customers card details. Hire a PCI compliant payment provider, and just have them tell you when the money has been taken.

    1. Mark Aggleton

      SAQ

      Not sure what Tier Lush are but may not be able to self-assess.

  10. andy gibson
    Unhappy

    how come

    Someone in government or the civil service does this and the public and media are baying for blood / sacking / hanging.

    But a private company does and it barely gets a mention, other than in the tech journals.

    1. John G Imrie

      Thats because ...

      When someone in government or the civil service does this and the public and media are baying for blood / sacking / hanging, nothing happens.

      When a private company does it, someone gets sacked.

  11. this

    Lush - Luxury?

    Have you seen their products?

  12. Studley
    Paris Hilton

    Alanis Morissette would be proud

    Old website removed because of concerns over fraudulent financial activity, new website replaces this with PayPal.

    Paris, because she's also prone to having her holes exposed online.

  13. Anonymous Coward
    WTF?

    What do you expect IIS?!

    Oh dear....netcraft 'what's this site running' information.: (no wonder they are retiring it)

    Redstation Internet Ltd Internet Web Hosting 212.87.79.77 Windows 2000 Microsoft-IIS/5.0 5-Jun-2007

    and it looks like their splash page has just been changed to

    Linux Apache 21-Jan-2011 89.145.74.105 United Hosting IPv4 Assignment

    ....

    1. pj3090

      That totally explains the trapster hack too!

      Linux Apache/2.2.3 (CentOS) 21-Jan-2011 173.203.24.249 Trapster.com

      1. kirovs

        Devil is in the details

        Do we know when it occurred or how? You cannot blame Linux for that unless you have data for it. I cannot say MS IIS is at fault for lush as well, since details are missing. Still it is interesting if they switched to Linux recently.

        1. pj3090

          @kirovs

          That was my point, really, although my post ended up sounding like I was participating in a fanboy war. I would be willing to bet in both cases that the hack was not due to a flaw in the underlying stack, but some foolishness at the application level.

  14. Danny 4

    ...nuke the entire site from orbit. It's the only way to be sure.

    Sucks to have your website hacked. Sounds like failure to filter input but all over the site and hacks on top of hacks. If they customised Joomla then keeping it up to date will be tricky at best. Clearly they looked at the code and decided it was better to start again.

    It's why I use my own code site-wide. A faff but I know the site inside-out. And I enjoy the programming. The small pleasures of watching fruitless probes for a non-existant CMS make it all worthwhile...

    1. Smifter
      Thumb Up

      @Danny 4

      "The small pleasures of watching fruitless probes for a non-existant CMS make it all worthwhile..."

      I concur. I see it all the time.

  15. Andrew Woodvine

    Storing credit card details

    Why did they even need to store the full card details? Once the payment has been authorised just keep the (encrypted) card number (in case of a charge-back) and delete the expiry date and security digits. The card number alone would be worthless to the hackers.

  16. doperative
    Joke

    storing credit cards online

    Why in this day and age are they still storing credit cards online and in the clear. What have all the innovators being doing this past decade.

  17. arsebiscuiting

    Am I being thick?

    I've not seen anything which says the attackers picked up passwords from a file or from the database in plain text. This attack would be easily achievable using XSS or simple insertion of code into the PHP on the server at the point the browser commits them. Said code could email to a drop box account or access a remote server to upload the card details.

    Without auditing of all live files against the database, an html file could have had a remote scripting attack in it for months without being detected, especially if the site design wasn't changed.

  18. Anonymous Coward
    Unhappy

    Storing credit cards

    I worked, albeit for 3 months, for a large company who did payment processing. Credit cards were stored in a SQL database in cleartext along with the name and address of the customer. This SQL database was visible on the internet and was about 8 characters away from being hacked (given that the sa account could be used). I think the only reason they got away with it is because nobody has ever heard of them (they only handle the payments) and thus didn't attack them. I left when I realised I was the only developer who seemed to think there was anything wrong with much of what they did.

  19. Danny 2

    Plain Stupid

    If you foillow where the money goes then an attack on Lush is likely to be one of the Climate Change Deniers computerised 'complaints', much like the so-called 'leak' of the University of East Anglia emails. Corporate malfeasance is often the simplest explanation.

  20. Anonymous Coward
    Paris Hilton

    How ironic

    Within hours of using my boss's Mastercard to buy a network switch on-line at bargain basement prices, it ended up being used to attempt to buy high-end cosmetics at a bricks & mortar 2,800 km. from here. No, the boss had never been there. No, he doesn't have a mistress there. So the guys who cracked the high-end cosmetics boutique may have been simply trying to avenge us! The Fountain Valley, CA beauty shop had the decency to call and check since the bill-to / ship-to were so much at odds.

    I guess we humans are good for something after all....

    Paris, just cuz.

  21. James Woods

    imagine that

    This company isn't in the US so I can't be too harsh but I can say it's good to see we still have companies out there that have no idea how to manage their security yet they are accepting credit cards through the internet.

    Credit cards truly were a good idea. The card companies make a gazillion dollars while basically sharing no liability. The merchants in general are sacked with the expenses of keeping in 'compliance' yet things like this still seem to happen.

  22. Snaver
    FAIL

    What a joke..

    "24 hour security monitoring has shown us that we are still being targeted and there are continuing attempts to re-enter." OBVIOUSLY, why wouldn't expect this? Any front-end website on the internet will face constant attacks, i bet they came to this conclusion after checking attempted ssh logins, genius!

    "We Believe hacking is a serious crime which steals large amounts of money and disrupts the lives of cardholders." No.. really?

    "We Believe that hacking erodes the trust between businesses and their customers and creates a climate of fear around online ordering." No, just no. Not investing the correct amount of resources in your online business will erode the trust between yourself and your users.

    The climate of fear that they talk about has come around because of businesses like themselves, business that just don't take these kind of issues seriously. Like investing in a decent web company.

    I hope they get sued for this massive breach of user data.

  23. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like