The accounts of over 26,000 National Lottery players have been compromised, resulting in the potential theft of sensitive personal information, operator Camelot has revealed.
The firm said in a statement that it picked up unusual activity on the accounts on Monday as part of its security monitoring.
However, it was at pains to point out that no National Lottery core systems had been affected and no money had been deposited or withdrawn from the affected accounts.
It continued:
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.
"We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
Some 26,500 accounts are believed to have been accessed, with activity subsequently taking place in 50 of those – although Camelot admitted this could have been by the account owners rather than the hackers.
Nevertheless, it has suspended those accounts and instigated a compulsory password reset on all 26,500.
This is the latest in a long line of attacks likely facilitated because consumers frequently reuse credentials across sites.
Deliveroo last week blamed a widespread fraud campaign against its customers on that very practice, while the iCloud calendar and photo sharing spam deluge spotted over the past few weeks is likely to have come about after hackers got hold of users’ iCloud-linked email addresses.
Chris Hodson, EMEA CISO at Zscaler, argued the fact that no payment data was taken shouldn’t lessen the impact of the breach.
“Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale,” he added.
“To mitigate risks in the short-term, account holders should update passwords and avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises.”
Ollie Whitehouse, technical director at NCC Group, argued that all companies which store online passwords have a responsibility to do so “in a manner which cannot easily be recovered and reused by threat actors if they are breached.
“Companies are increasingly consuming post-breach threat intelligence of other companies to mitigate the effects against their services,” he added. “If this had been done in this instance the impact would have likely been far less.”