UK’s National Lottery urges millions of players to change their passwords

The lottery's operator has found that attackers probably used an automated method known as 'credential stuffing' to access up to 150 customer accounts.

The lottery’s operator has found that attackers probably used an automated method known as ‘credential stuffing’ to access up to 150 customer accounts.

The United Kingdom’s National Lottery is advising all of its 10.5 million registered online users to change their passwords as a safety precaution following a security incident.

The recommendation comes after the lottery’s operator, Camelot, has detected suspicious activity on a small number of customer accounts. It has found that attackers fraudulently accessed up to 150 customer accounts earlier in March and, once inside, viewed what Camelot described as “very limited information”.

“A much smaller number – fewer than 10 accounts – have had some limited activity take place within the account since it was accessed, but no player has seen any financial loss,” according to the company’s statement.

Camelot has suspended all accounts where suspicious activity was spotted and has contacted their owners in order to help them “re-activate their accounts securely”.

“We are also urging National Lottery players to change their online password, particularly if they use the same password across multiple websites,” reads the statement.

It is understood that the hackers used a common type of automated attack known as ‘credential stuffing’, in which they leverage stolen or leaked authentication details from one online service for attempts to crack open user accounts on other websites.

The success of this attack vector is fueled by the all-too-common practice for many people to recycle their passwords across a number of online services. Frequent data breaches and troves of breached credentials that are readily available online further compound the problem.

The lottery’s website enables customers to fund their National Lottery accounts with credit or debit cards, and then spend the money on online lottery tickets or scratch cards. Camelot gave assurances for The Daily Telegraph that the user accounts do not display full card or bank account details.

In addition, Camelot said that the attackers didn’t gain access to the National Lottery’s core systems or any of its databases that would affect the lottery’s draws or the payment of prizes.

This incident is reminiscent of a similar, though larger, attack in November 2016, when cybercriminals accessed the online accounts of as many as 26,500 National Lottery customers. In September 2017, the lottery’s website and its associated app were unavailable for several hours due to a distributed denial-of-service (DDoS) attack.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center