Hackers reuse passwords to access 26,500 National Lottery accounts

tnl

Earlier this week UK National Lottery operator Camelot released a statement saying it believed hackers had accessed the accounts of around 26,500 of its 9.5 million online players:

As part of our online security monitoring, we became aware of suspicious activity on a very small proportion of our players’ online National Lottery Accounts

Thankfully, fewer than 50 of those accounts have been touched since the hackers accessed them. And any activity was limited to personal details being changed, potentially by the players themselves. Camelot clarified:

We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited.

Nevertheless, this is still very serious. Even though impacted users haven’t had financial details exposed, they have still lost personal information that may be very useful to fraudsters.

How did Camelot react?

Camelot took proactive action, suspending the 50 affected players’ accounts and contacting these players to help them re-activate their accounts securely. In addition to that, it’s also making all 26,500 affected players reset their passwords.

As well as contacting these folks to help them change their passwords, Camelot is handing out advice on online security. Why? Because Camelot believes that…

…the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.

In other words, Camelot is pointing the finger at a third-party website, suggesting the cyber criminals may not have stolen the logins from than the National Lottery website itself.

So how does that work?

Hackers like to make the most of their ill-gotten gains. Whenever they steal logins from one website, they try them out on lots of other sites to see if account holders have reused usernames and passwords across services. That means if you use the same username and password on a number of different sites, if ever fraudsters steal your username/password combination from one of those sites, it’s also compromised on all those other sites.

This is simply the “credential stuffing” we reported last week. In this instance it led to rogue Deliveroo transactions that allowed fraudsters to stuff their faces for free.

Be warned – there have been plenty of other recent incidents of thefts and credential stuffing in the UK, including:

It’s not yet known how this happened. Sophos global head of security research James Lyne told us:

The [Camelot] statement doesn’t clarify if it is a site with which Camelot itself shares credentials or whether the problem lies with users having the same e-mail and password across multiple websites – though the latter is far more likely.

He also noted that, although Camelot did recognize that there was suspicious activity on its accounts, the attack did compromise a significantly number of accounts:

Camelot have obviously managed to link suspicious activity to these accounts, such as a shared attacker IP address or common activities, but it is concerning that so many accounts could be compromised with such a common pattern before the attack was detected.

While we wait for more information to become available, the BBC reports that the Information Commissioner’s Office is launching an investigation into the National Lottery breach. The ICO said:

Camelot submitted a breach report to us last night, which we have reviewed. We will be talking to Camelot today… Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.

What should I do?

Lessons will need to be learnt on both sides. When it comes to securing your passwords, Lyne advises:

  • Use a different password on each website as otherwise a breach of any one web service could provide access to your entire online life.
  • We recommend users change their password on the National Lottery website and any other service where they use the same email address and password combination.
  • Cyber-criminals have executed numerous campaigns re-using stolen credentials recently so avoiding sharing passwords across sites is key.
  • Read Sophos’ top password tips.