Posted on March 18, 2018 at 7:52 AM
Some ten million lottery customers in the UK are being advised to update their login credentials. The National Lottery site was attacked last week by cybercriminals. Around 150 accounts were compromised, and fewer than ten were accessed for activity.
National Lottery Customers Vulnerable
According to the UK National Lottery, hackers have tried to access online customer accounts, and in some cases were successful in viewing limited information. The Lottery says that more than 10 million players should change the passwords on their online accounts in order to protect themselves. The need to change passwords is especially dire for customers who use the same email and passcode combination for more than one site login.
The hackers gained access to roughly 150 accounts using a technique called “credential stuffing.” Credential stuffing is a technique by which hackers use a computer to input the same email address and password combination on a large number of websites. Eventually, a website will accept the combination, and the hackers are able to use that information to gain access elsewhere if users use the same combo. The attackers were able to enact some activity in fewer than ten accounts, but information from other accounts may have been viewed. According to Camelot, no customers have lost any money. It is also expected that any discovered username and password combination has been shared with fraudsters.
Camelot takes security measures
In response to the hack, the lottery website will have a statement that discloses the strange activity and asks players to update their information. All 10.5 million online users should be expecting Camelot to contact them in reference to this matter. Customers whose accounts were actually accessed have already been contacted. Camelot would like customers to know that they do not display account details or card numbers on their online accounts. They have, in addition to contacting affected users, suspended affected accounts. Legitimate users will be assisted in re-activating accounts with secure passcodes.
The hack began on March 7, and Camelot has not observed much in the way of activity since then. The hacker activity has been low level and has mimicked normal player behavior. Once identified, Camelot reported the strange activity to the police and to the Information Commissioner. The lottery administrator also is working with the National Cyber Security Centre on this issue.
Camelot said it had reported the security breach to the police and the Information Commissioner’s Office and was liaising with the National Cyber Security Centre.