The website for the vegan makeup company Lime Crime, whose wares are sold by Urban Outfitters and Nasty Gal, among others, admitted they'd been hacked earlier this week and that customer information has been compromised. But customers are up in arms over the way the site handled telling them that – or not telling them, as the case may be.
On Monday, the site posted large blocks of color on Instagram and Facebook accompanied with the following blurb:
Lime Crime Customers,
We have received reports of potential data breach on our website due to a hacker attack. We are NOT taking these reports lightly and are working with the authorities to investigate the nature and scope of the incident.
On Tuesday, they posted this update, using the same method of communication:
Cyber crime is a real thing and, unfortunately, it's common. We have contacted law enforcement and have been working with forensic specialists in order to investigate the incident we believe took place on our website. What we know so far is that we've been attacked by hackers seeking to take credit & debit card data (based on our current investigation PayPal users were NOT affected). We do not yet know the window during which this occurred. We apologize profusely for any frustration this may have caused! 💳 At this time, we recommend that you review your banking activity vigilantly and contact your bank or credit card company immediately if any fraudulent transactions occurred. ❌ We will be reaching out directly to anyone that may have been affected with additional information and support. 📩 We are not going anywhere. All orders placed on the website will still be shipped! 📦 limecrime.com will return after we investigate and rebuild a better, safer, more secure platform for you. We will continue to share any information we have and are compiling an FAQ on the incident that will be available shortly.
Many furious commenters on Lime Crime's Facebook page allege that the company has known about the security flaws in their checkout system for months; some are arguing that Lime Crime was using an expired SSL certificate, which is what is used to secure credit card transactions. Since the fall, customers have been noticing that their credit card information has been stolen after using Lime Crime's website, but have received no response or action.
"It's cute how you didn't bother doing anything about this until it became public," wrote one woman. "There were people who reported this to you back in November and you didn't bother until it became bad PR." Others say that Lime Crime has been deleting negative comments about the security breach on their social media platforms, which is pretty par for the course in this type of situation.
Yesterday, Lime Crime posted this most recent update, stating that they didn't address the security flaws until now because "we didn't have any solid facts and couldn't see the magnitude of the situation":
Thank you for bearing with us as we further investigate the recent hacker attack on our site. We know it's important to keep you in the loop! 📯 Many of you are wondering why we didn't disclose this earlier. The simple answer is: we didn't have any solid facts and couldn't see the magnitude of the situation. Based on just a handful of early complaints, we immediately initiated an investigation. It wasn't until very recently that a cyber forensics company retained by us found malicious software placed on our servers by hackers. Please know that as soon as we had more solid information, we shared it with you promptly and openly.
Some of you also wanted to know why a routine makeup post was removed earlier this week. We removed the post because the discussion was causing confusion and misinformation to our fans and customers. We felt it was important to make a dedicated post addressing the issue and share all the best information available. In retrospect, we agree that it wasn't the best way to handle things and we are sincerely sorry for any frustration it caused. 📩📩📩 It's taking a while, but we are in the process of compiling a list of everyone affected & will be contacting directly. An FAQ is also under way. We treasure our customers and promise to keep you informed. We appreciate all the support, thank you for sticking by us during these trying times.
Lime Crime founder Doe Deere (pictured above; that is not her real name) has reposted the most recent two statements on her personal Instagram account and the Lime Crime website is still down. This is hardly the first time the company has come under fire; there are multiple tumblrs devoted to their "shady" and "dishonest" practices. Many customers appear to consistently complain about poor communication from Lime Crime, as well as lag time between ordering and receiving products.
Deere (who refers to herself as "the Queen of Unicorns") is a former musician who used to sell DIY clothes on eBay. She ended up starting Lime Crime after her makeup tutorials and her presence on LiveJournal took off. But she's been referred to as a "manipulative liar," and has been accused of everything from trying to sue customers for complaining about her company, to photoshopping the colors of her products, to not actually producing fully vegan products, to simply repackaging makeup from wholesalers. Last week, Deere posted a photo of herself with the caption, "Sorry for lack of updates, guys. I'm making a lot of necessary changes to the company so that we can serve you better. Thanks for bearing with us! We love you. XOXO Doe Deere #CEO #redvelvet." (Red Velvet is the name of one of her lipsticks.)
I've emailed Lime Crime for comment and will update accordingly.
Images via Lime Crime and Doe Deere/Instagram