The lottery's operator has found that
attackers probably used an automated method known as 'credential stuffing' to
access up to 150 customer accounts.
By Tomáš Foltýn
The lottery’s operator has found that
attackers probably used an automated method known as ‘credential stuffing’ to
access up to 150 customer accounts.
The United Kingdom’s National Lottery is
advising all of its 10.5 million registered online users to change their
passwords as a safety precaution following a security incident.
The recommendation comes after the lottery’s
o perator, Camelot, has detected suspicious activity on a small number of
customer accounts. It has found that attackers fraudulently accessed up to 150
customer accounts earlier in March and, once inside, viewed what Camelot
described as “very limited information”.
“A much smaller number – fewer than 10
accounts – have had some limited activity take place within the account since
it was accessed, but no player has seen any financial loss,” according to the
company’s statement.
Camelot has suspended all accounts where
suspicious activity was spotted and has contacted their owners in order to help
them “re-activate their accounts securely”.
“We are also urging National Lottery players
to change their online password, particularly if they use the same password
across multiple websites,” reads the statement.
It is understood that the hackers used a
common type of automated attack known as ‘credential stuffing’, in which they
leverage stolen or leaked authentication details from one online service for
attempts to crack open user accounts on other websites.
The success of this attack vector is fueled
by the all-too-common practice for many people to recycle their passwords across a number of
online services. Frequent data breaches and troves of breached credentials that
are readily available online further compound the problem.
The lottery’s website enables customers to
fund their National Lottery accounts with credit or debit cards, and then spend
the money on online lottery tickets or scratch cards. Camelot gave assurances
for The Daily Telegraph that the user accounts do not
display full card or bank account details.
In addition, Camelot said that the attackers
didn’t gain access to the National Lottery’s core systems or any of its
databases that would affect the lottery’s draws or the payment of prizes.
This incident is reminiscent of a similar,
though larger, attack in November 2016, when cybercriminals accessed the online
accounts of as many as 26,500 National Lottery customers. In September 2017, the lottery’s website and its associated
app were unavailable for several hours due to a distributed denial-of-service (DDoS) attack.