Cosmetics company Lush has admitted its out-of-date computer system has left thousands of its customers vulnerable to hackers.

Shoppers using Lush's online stores in Australia and New Zealand have been urged to cancel their credit cards today after the company's website was targeted by cyber thieves.

Lush Australasia director Mark Lincoln has told ABC News Online their online customer database has been stolen.

He says Lush customers were not informed their credit card details were being stored on the database and he understands why customers would be upset about that.

"They wouldn't have been informed that they were kept," he said.

He says a failure to keep the website updated left customers exposed to the hacking attack.

"The code that the website was written in was a very old version and it hadn't been updated, so it was a legacy from that code," he said.

It follows a similar attack on Lush's UK parent company in January, when a security lapse left customers exposed to hackers for four months.

"Following the events that happened in the UK with our parent company, we started reviewing the security arrangements for our sites and reviewing the process of capturing orders and how they were processed," Mr Lincoln told ABC News Online.

"We were actually in the process of deleting those details from our database, so we had become aware that was an issue, and we were in the process of making changes to the code."

But Mr Lincoln says shutting down the website to protect customers was not an option.

"We had discussions with our web-hosting provider who believed the site had not already been compromised, so we believed the best thing to do was to carry on and put in further monitoring and further security precautions," he said.

Lush failure

It is not yet known how long Australian and New Zealand Lush customers' details were left exposed by the security breach, which will see the website out of action for up to two months.

Mr Lincoln says forensic investigators are in the process of working out how far back the breaches go.

He says Lush first became aware of the problem yesterday, and sent emails out to customers late last night.

But RMIT internet security expert Mark Gregory says Lush should have done more to protect its customers.

"Companies quite often use the same technology if they operate in more than one country," he said.

"So it would be very straightforward if a hacker was able to break into the website in one country to then target the website in our countries.

"The failure here, it appears, is the company hasn't reacted quickly. They should have either changed the security on their other websites or taken the websites down until security is improved.

"It's a very disappointing thing to see again."

Dr Gregory says these sorts of attacks show the Australian Government must put in place best-practice guidelines for companies operating websites.

"Things can be done to prevent these sorts of things," he said.

"Online fraud is big business nowadays. We've heard recently that over $1 billion is carried out annually online."

Credit card compromised

Perth web developer Adam Fitzgerald purchased from the Lush online store about a year ago and was informed this morning that his credit card details may have been compromised.

His bank contacted him last week saying it had cancelled his credit card because it was used in a fraudulent transaction.

It has not been confirmed whether it is related to the Lush hacking, but Mr Fitzgerald is angry that Lush kept his credit card details for so long.

"I don't think any company needs to be storing credit card details at all," he said.

"That stuff has no real reason to be stored, so that's annoying and frustrating."

Mr Fitzgerald also says he would like to know more about what has actually happened.

"It's nice to be upfront about what's happened, but it (the email from Lush) doesn't really go into too much detail about what's happened, apart from the credit card details side of things," he said.

"With your personal information that's stored - you'd assume your name, home address, phone number, email addresses, password - all of those sorts of details that are obviously personal details that would have been stored, but it really doesn't go into what parts of those were affected.

"Were people's home addresses revealed? Have phone numbers been taken? Are passwords stored? I'd love to know exactly what was affected so I can take the necessary steps."

Another Lush customer, Janet Drummond, used the website to buy goods in the past month.

She is happy with how both Lush and her bank have kept her informed over this breach, but says she was unaware the cosmetics company was keeping her details.

"[I] had no idea they kept details on the site somewhere, as with each order I make I have to retype my credit card details. I have ordered from them many times," she said.

Lush has apologised to its customers and says no store or mail order customers were affected by the attack.