The U.K.’s National Lottery said Wednesday that around 26,500 players’ accounts have been accessed by hackers.
Camelot, which organizes the National Lottery, said that it became aware of suspicious activity on some players’ online accounts Monday. The organization believes that email addresses and passwords used on the National Lottery website may have been stolen from another website where affected players use the same details.
Compulsory password resets have been initiated on the 26,500 accounts and Camelot is contacting the players to help them change their passwords and provide security advice.
“We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes,” said Camelot, in a statement. “We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
Camelot has also taken the precaution of suspending “fewer than 50” accounts where personal details have been changed since the accounts were accessed. The organization, which acknowledges that the changes may have been made by the players themselves, is contacting the players to help them reactivate their accounts securely.
The National Lottery has 9.5 million registered online players.
Experts say that hackers’ targeting of National Lottery players highlights the importance of tight password security. "Hacks due to password reuse spell out where most users fall in the convenience versus security balancing act,” explained Alvaro Hoyos, chief information security officer at identity and access management specialist OneLogin. “Even if you are confident your password is ‘strong’, due to a thriving hacked data marketplace, your strong, but reused password might be floating out there already."
In a blog post on the National Lottery incident, security expert Graham Cluley urged consumers to store their passwords within a secure password manager. “You then only have to remember one, complicated gobbledygook master password,” he wrote.
Hacked passwords can be easily bought and sold on clandestine online markets such as the dark Web. Earlier this year, for example, Twitter reset an unspecified number of accounts after millions of user credentials turned up on the dark Web.
The dark Web, or darknet, refers to private networks built from connections between trusted peers using unconventional protocols. Dark Web is just one part of what is known as deep web – a vast network which is not indexed by search engines such as Google and Bing.
Follow James Rogers on Twitter @jamesjrogers