Camelot Group, parent company of The National Lottery, has advised over 10 million users to change their passwords following the compromise of user accounts.
The breach itself resulted in the compromise of around 150 accounts, with fewer than 10 of these seeing any activity during the period. Camelot says that no players have seen any financial losses as a result, and that only user accounts (which show partial, not full, details of payment information) were accessed, not Camelot’s own systems.
Email addresses and passwords (which may already have been leaked; this is likely how the hackers knew to use the successful combinations) will have been exposed. Other account information may also have been leaked, including the user’s first name and the amount of money loaded into their National Lottery account.
According to Camelot, the breach began on March 7, and was most likely caused by a credential stuffing attack. Compromised accounts were suspended and all users affected were notified, as were the police, the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO).
“We have been working with Camelot UK Lotteries after suspicious activity was noted on a small number of players’ accounts,” said an NCSC spokesperson. “Everybody should take steps to keep themselves as safe as possible from cyber incidents and the NCSC’s website includes security advice, such as around passwords and two factor authentication.”