Up To 26,500 National Lottery Online Accounts Are Breached
National Lottery and experts suggest accounts breached by reusing compromised credentials
As many as 26,500 National Lottery online accounts have been accessed by hackers in what is believed to be the latest instance of cybercriminals re-using online credentials harvested from major data breaches.
A number of such breaches have affected major websites like Yahoo and Dropbox in recent times and because so many people reuse passwords, this means other accounts could be compromised.
Camelot, which runs the National Lottery, said that of 9.5 million accounts it noted suspicious activity in 26,500 and saw that activity had taken place in 50 since the pattern was detected.
National Lottery breach
The company does not store the full debit and credit card details of players but there is personal information.
“On 28 November 2016, as part of our online security monitoring, we became aware of suspicious activity on a very small proportion of our players’ online National Lottery Accounts,” said the firm.
“We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes. In addition, no money has been deposited or withdrawn from affected player accounts.
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.”
Camelot says it has suspended the accounts in question and is proactively contacting the people affected.
Experts agree that the reuse of passwords is the most likely cause.
“Consumers need to understand the importance of proper password management and avoiding recycling logins for multiple services, especially if the service deals with financial and personal data,” said David Kennerly, director of threat research at Webroot.
“The forced password reset for the 26,500 accounts affected is exactly the right response. We would also recommend that anyone who is concerned about their account should change their password, especially if you have re-used the credentials across multiple online services.”
Take our data breaches quiz here!