Shoppers using Lush's online stores in Australia and New Zealand on Tuesday were urged to cancel their credit cards, after the site was hacked.
The popular handmade cosmetics business, Lush shut down its Australian and New Zealand websites on Tuesday, leaving only a statement warning customers to urgently contact their banks.
"We are sorry to announce that the Lush Australia and New Zealand websites have been hacked," the company said in the statement released on Tuesday.
"We have been alerted today to advise that entry has been gained and customer personal data may have been obtained by the hackers.
"We urgently advise customers who have placed an online order with Lush Australia and New Zealand to contact their bank to discuss if canceling their credit cards is advisable."
According to Lush Australasia director Mark Lincoln, the code that the website was written in was a very old version and it had not been updated. He admitted its out-of-date computer system has left thousands of its Australian customers vulnerable to hackers.
It follows a similar attack on Lush's United Kingdom parent company in January, when a security lapse left customers exposed to hackers for four months. Lush said it was doing all it could to investigate the privacy breach and was working with the police, forensic investigators and banks.
It is not yet known how long Australian and New Zealand Lush customers' details were left exposed by the security breach.
However, RMIT Internet security expert Mark Gregory said Lush should have done more to protect its customers.
"Companies quite often use the same technology if they operate in more than one country," he told ABC News on Tuesday.
"So it would be very straightforward if a hacker was able to break into the website in one country to then target the website in our countries.
"The failure here, it appears, is the company hasn't reacted quickly. They should have either changed the security on their other websites or taken the websites down until security is improved.
"It's a very disappointing thing to see again."
Australian web developer Mark Fitzgerald purchased from the Lush online store about a year ago and was informed Monday morning that his credit card details may have been compromised. His bank contacted him last week saying it had cancelled his credit card because it was used in a fraudulent transaction.
It has not been confirmed whether it is related to the Lush hacking, but Fitzgerald told ABC News that he is angry that Lush kept his credit card details for so long.