As many as 150 player accounts registered with the UK's National Lottery were compromised, accessed and potentially viewed by an unauthorised party, according to an online statement from Camelot, the parent company that runs the sweepstakes.
Camelot further reported that fewer than 10 accounts "have had some limited activity take place within the account since it was accessed, but no player has seen any financial loss."
The total number of affected registrants represents a minuscule fraction of the 10.5 million individuals who own a lottery account. Nevertheless, Camelot has recommended that all players change their passwords, especially if they use the same password for multiple websites. This serves as a precaution against credential stuffing attacks, which is what likely compromised the impacted accounts, a company spokesperson told ZDNet.
“Password re-use can be a crippling mistake. It's less risky for attackers to use authentic credentials than to leverage exploits, as security tools are more likely to detect an active exploit," said Travis Smith, principal security researcher at Tripwire. "Since the same log-in credentials are commonly re-used across different websites, stolen credentials from one breach can lead to several other breaches."
Camelot has assured players that it does not display full debit card or bank account details on their online accounts, and that "there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or the payment of prizes."
The company also reported that it suspended all compromised accounts and contacted their rightful owners, as well as the proper authorities.