The lottery's operator has found that attackers probably used an automated method known as 'credential stuffing' to access up to 150 customer accounts.
The United Kingdom’s National Lottery is advising all of its 10.5 million registered online users to change their passwords as a safety precaution following a security incident.
The recommendation comes after the lottery’s operator, Camelot, has detected suspicious activity on a small number of customer accounts. It has
found that attackers fraudulently accessed up to 150 customer accounts earlier in March and, once inside, viewed what Camelot described as “very limited information”.
“A much smaller number – fewer than 10 accounts – have had some limited activity take place within the account since it was accessed, but no player has seen any financial loss,” according to the company’s statement.
Camelot has suspended all accounts where suspicious activity was spotted and has contacted their owners in order to help them “re-activate their accounts securely”.
“We are also urging National Lottery players to change their online password, particularly if they use the same password across multiple websites,” reads the statement.
It is understood that the hackers used a common type of automated attack known as ‘credential stuffing’, in which they leverage stolen or leaked authentication details from one online service for attempts to crack open user accounts on other websites.
The success of this attack vector is fueled by the all-too-common practice for many people to recycle their passwords across a number of online services. Frequent data breaches and troves of breached credentials that are readily available online further compound the problem.