Criminals Target National Lottery Players Who Repeated Their Login Credentials

Rafia Shaikh
National Lottery Hack
Why you shouldn't gamble with your passwords...

Thousands of National Lottery accounts have been hacked by cyber criminals. The National Lottery operator Camelot said it believed that around 26,500 players' accounts were accessed after suspicious activity was detected.

26,500 National Lottery players' accounts accessed

In a statement issued by Camelot earlier this Wednesday, the firm said that hackers might have accessed personal details of players in this hacking attempt. The National Lottery told customers on Twitter that their names, contact details, transaction history, expiry date of card, account preferences, and last four digits of their card number could be included in the stolen data.

No money was taken or added to the compromised accounts. Camelot also doesn't believe if its own system had been compromised during the hacking attempt, and said the players' login details had been stolen from somewhere else.

"We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details," Camelot said in a statement.

"If there's 26,500 accounts here and they are saying the credentials are correct but they didn't come from us, they still let an attacker log in 26,500 times," security research Troy Hunt told BBC.

The Information Commissioner Office said it has launched an investigation into the matter. "Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today," Office spokesperson said.

Camelot became aware of the attempt on Monday and confirmed that the hackers couldn't access "core National Lottery systems" or any databases which would affect draws or the payment of prizes.

The company has initiated a compulsory password reset for all the affected players. "We are in the process of pro-actively contacting them to help them change their passwords, as well as giving them some more general online security advice," the firm added.

Camelot said of its 9.5 million registered online players, nearly 26,500 players' accounts were accessed in the hacking attempt. The Information Commissioner Office is now investigating if the organization failed to keep personal data secure. "Organizations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department."

Share this story

Deal of the Day