UK National Lottery operator Camelot is urging online lottery players to change their passwords following a security breach.
On Friday, Camelot issued a statement alerting customers that its routine online security monitoring had detected some “suspicious activity on a very small proportion of our players’ online National Lottery accounts.” Camelot has notified the police, the Information Commissioner’s Office and other authorities about the breach.
Camelot said the activity affected only a small number of online lottery accounts – roughly 150 out of 10.5m total registrations had been subject to an unauthorized log-in. “Fewer than 10 accounts” were subject to “some limited activity” after being accessed, but Camelot insists that “no player has seen any financial loss.”
Camelot also insisted that it was taking “all the necessary steps to fully understand” the scope of the intrusion, but had suspended all of the affected accounts and was working with the affected players to reactivate their accounts. As a precaution, Camelot urged all National Lottery players to change their passwords.
A National Lottery spokesperson said the perpetrators are believed to have made use of a widely circulated list of credentials, then employed ‘credential stuffing’ to bombard various websites with email addresses and password combos to see what matches turn up.
Camelot has dealt with similar shenanigans before. In November 2016, a much wider intrusion saw 26,500 accounts unlawfully accessed and 50 accounts experienced some kind of unauthorized activity after being accessed.
Last October, the National Lottery website was knocked offline for 90 minutes on the night of a Saturday drawing by a distributed denial of service (DDoS) attack. Camelot has also suffered digital own-goals, including releasing a buggy mobile app that erroneously informed players that winning tickets were losers.