Cosmetics firm Lush has shut down its UK Web site in the wake of an attack by hackers that has put the payment card details of customers at risk.
In a statement on its site, the company says all customers that placed online orders between 4 October and today are at risk and should contact their banks for advice.
Security monitoring shows the site is still being targeted, prompting Lush to completely retire the site. A new one will be launched in a few days, initially taking PayPal payments only.
The risk that the stolen details are being used by crooks is significant according to Rik Ferguson from security outfit Trend Micro. In a blog he says he was alerted to the attack by a friend, whose card, along with her husband's, has been used to make fraudulent online purchases worth around £6000.
Meanwhile, Lush has addressed the hacker on its site, saying: "If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job - were it not for the fact that your morals are clearly not compatible with ours or our customers."