National Lottery: 10 million players told to change passwords as attackers hit online accounts

Unauthorised access to accounts -- gained through 'credential stuffing' attacks -- was discovered during security monitoring, says parent company Camelot.
Written by Danny Palmer, Senior Writer

Millions of National Lottery players have been urged to change their passwords following what parent company Camelot describes as "suspicious activity" involving lottery accounts.

Camelot, which runs the National Lottery, insists there's been no access to core systems or databases that would affect lottery draws or prizes, but has recommended that its 10.5 million registered users change their passwords following a number of unauthorised logins.

A Camelot spokesperson told ZDNet that the account breaches are thought to be the result of "credential stuffing", a type of cyber-attack where previously-stolen account details are entered into other websites in the hope that the victim uses the same username and password.

In this instance, it means the affected National Lottery users have previously had their details stolen elsewhere and shared among cybercriminals.

In an email sent to registered users, Camelot said it had uncovered suspicious activity on some accounts as part of "regular security monitoring".

Now read: IT leader's guide to cyberattack recovery

Cyber-attackers are believed to have gained access to up to 150 accounts and "very limited information" about those users, including their first name and the amount of money loaded into their National Lottery account.

A handful of accounts -- believed to number under 10 -- also saw attackers carry out "limited activity" after breaching them, but Camelot said that no player has experienced any sort of financial loss and that financial information isn't displayed in online accounts.

"We would like to reassure our players that we do not display full debit card or bank account details on their online National Lottery accounts," Camelot said in a statement.

Accounts where suspicious behaviour was spotted have been suspended and the owners have been directly contacted.

Camelot has recommended all users change their passwords as a precaution -- particularly if the user uses the same password on other websites -- in order to prevent further unauthorised logins and hacking of additional accounts on other websites where people use the same login details.

A Camelot spokesperson told ZDNet that the company is "continually looking at ways to improve our IT security procedures" but that "cybercrime is constantly evolving and, unfortunately, this type of activity is almost indistinguishable from normal player activity -- particularly the very sporadic and low-level activity we have recently seen".

See also: Cyberwar: A guide to the frightening future of online conflict

Around 26,500 National Lottery accounts were previously hacked, in late 2016. That hack took also took place as a result of credential stuffing after attackers were able to take emails and passwords previously stolen from other websites -- and likely shared on the dark web -- then use them to login to National Lottery accounts. Users were told to change their passwords following the incident.

Camelot has reported the incident to the police, the National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO).

"We are aware of an incident involving The National Lottery's website and are in contact with the company and other agencies," an ICO spokesperson told ZDNet.

"We have been working with Camelot UK Lotteries after suspicious activity was noted on a small number of players' accounts," an NCSC spokesperson told ZDNet.

"Everybody should take steps to keep themselves as safe as possible from cyber incidents and the NCSC's website includes security advice, such as around passwords and two factor authentication," they added.

The NCSC also recommends that users should a change their passwords for any online services where they use a similar password to the one they use to login to their National Lottery account.

Recent and related coverage

Google: Our hunt for hackers reveals phishing is far deadlier than data breaches

Phishing attackers love using Gmail.

Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia

Australia's Notifiable Data Breaches scheme will come into force next month. Here is what it means and how it will affect organisations, and individuals, in Australia.

The B2B breach trifecta: Equifax, SEC and Deloitte

Why did Equifax take a beating in the headlines, but the SEC breach was barely a blip? Forrester examines the Equifax, SEC and Deloitte data breaches.

Read more on cybercrime

Editorial standards