Hackers are cashing out after stealing credit card numbers from Lush’s UK website, which was shut down on Friday and replaced with a message that warns customers that their account information may have been compromised.

According to the message, anyone who made online purchases on the handmade cosmetic company’s UK site between October 4th and January 20th is at risk of having their credit cards used fraudulently.

Lush also left a message for the hacker:

“If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers.”

We’re sure that the hackers are absolutely broken up about the scolding — especially since comments on the cosmetic company’s Facebook profile make it clear that they have started a shopping spree on Lush customers’ dime.

Several customers detail purchases made using their stolen credit card information. Others express anger over the length of time that Lush waited after discovering that hackers had penetrated the site on Christmas Day.

Hilary Jones, ethical director at Lush, told the BBC that the company used the time between Christmas and Friday to investigate what the hacker’s intentions were (perhaps they were just looking for information on bath soaps?). When it became obvious that the hackers had started to make small test purchases using Lush customers’ credit cards, Lush shut down its site.

Other companies like Trapster-maker Reach Unlimited and Gawker Media, on the other hand, notified customers almost immediately when their sites were compromised recently.

A temporary Lush UK website, which prudently will only accept PayPal payments, is scheduled to be launched in a few days. But it might be a while before its customers muster enough forgiveness to shop there.

More About: credit-card, e-commerce, hack, Lush, security