Thousands of shoppers who ordered online cosmetics over the past three and a half months could have had their card details stolen.
High street giant Lush says its website has been hacked by fraudsters and is advising every customer who placed an online order since 4 October to contact their bank or credit card company immediately.
The company stresses the problem only affects orders via its website, not those placed by phone or in store.
Many Lush customers have already reported on our forum that they have been a victim of fraud.
One forum poster little_lil says: "Our card was used fraudulently over Christmas – now I know where they got the details from! Luckily Tesco spotted what was happening and stopped our card."
Lush has closed its website to orders. Its homepage is completely dedicated to alerting consumers of the hack.
Lush online customer? What should you do?
The UK Payments Association, a trade body for card firms, advises anyone who made an online order with Lush since early October to check their statements for fraudulent activity and to contact their card firm for advice.
A spokeswoman says: "If you are a victim of fraud as a result of this there is no liability and your bank should offer a full refund."
Lush says in a statement: "Security monitoring has shown that we are still being targeted and there are continuing attempts to re-enter.
"We refuse to put our customers at risk of another entry so have decided to completely retire this version of our website.
"For complete ease of mind, we would like all customers who placed online orders with us between 4 October and 20 January to contact their bank for advice as their card details may have been compromised."
Further reading/Key links