Threat Management, Network Security

Credential stuffing attack suspected after several UK National Lottery accounts compromised

Share

As many as 150 player accounts registered with the UK's National Lottery were compromised, accessed and potentially viewed by an unauthorized party, according to an online statement from Camelot, the parent company that runs the sweepstakes.

Camelot further reported that fewer than 10 accounts "have had some limited activity take place within the account since it was accessed, but no player has seen any financial loss."

The total number of affected registrants represents a minuscule fraction of the 10.5 million individuals who own a lottery account. Nevertheless, Camelot has recommended that all players change their passwords, especially if they use the same password for multiple websites. This serves as a precaution against credential stuffing attacks, which is what likely compromised the impacted accounts, a company spokesperson told ZDNet.

“Password re-use can be a crippling mistake. It's less risky for attackers to use authentic credentials than to leverage exploits, as security tools are more likely to detect an active exploit," said Travis Smith, principal security researcher at Tripwire. "Since the same log-in credentials are commonly re-used across different websites, stolen credentials from one breach can lead to several other breaches."

Camelot has assured players that it does not display full debit card or bank account details on their online accounts, and that "there has been no unauthorized access to core National Lottery systems or any of our databases, which would affect National Lottery draws or the payment of prizes."

The company also reported that it suspended all compromised accounts and contacted their rightful owners, as well as the proper authorities.

Credential stuffing attack suspected after several UK National Lottery accounts compromised

As many as 150 player accounts registered with the UK's National Lottery were compromised, accessed and potentially viewed by an unauthorized party, according to an online statement from Camelot, the parent company that runs the sweepstakes.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.