Camelot, operator of the UK’s National Lottery, has issued a warning that tens of thousands of players’ accounts have been accessed by hackers:
Of our 9.5 million registered online players, we believe that around 26,500 players’ accounts were accessed. A much smaller number – fewer than 50 – have had some activity take place within the account since it was accessed. This was limited to some of their personal details being changed – and some of these details may have been changed by the players themselves. However, we have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely. In addition, we have instigated a compulsory password reset on the accounts of the 26,500 affected players. We are in the process of proactively contacting them to help them change their passwords, as well as giving them some more general online security advice.
Camelot is at pains to point out that its core systems and databases which could affect prize payment of National Lottery draws were *not* accessed. Instead, it seems likely that the hackers gained access to accounts because players were using the same usernames and passwords on other sites.
Camelot is forcing a password reset on accessed accounts, and I hope it will go further and encourage internet users to *always* use different passwords for different websites. Password re-use is a huge problem, and one that hackers are taking advantage of every day.
And it would be sensible for users who have had their National Lottery passwords reset to also make sure they are not using that same password anywhere else on the net.
Of course, remembering multiple different passwords is impossible for puny human brains. That’s why you should use a password manager which stores your passwords securely and remembers them for you. You then only have to remember one, complicated gobbledygook master password.
And it’s worth bearing in mind that if a hacker accessed your lottery account it’s possible that they also grabbed personal information that you might have stored in that account, and could be planning to exploit it with malicious intent.
I’m not a gambler myself, so I don’t play the National Lottery. However, I can’t find any evidence that Camelot offers a two-factor authentication (2FA) option for users who wish to have a higher level of protection over their lottery account. Of course, multi-factor authentication is no replacement for good password practices, but it does make life much harder for hackers.
Maybe all online lotteries should consider offering 2FA to their customers – after all, if it’s good enough account security for a bank…
It’s not the kind of thing you want to gamble about, after all.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.