Camelot, the operator of the UK's National Lottery, advised all of its 10.5 million users to change their passwords after it detected a hacking incident earlier this month where hackers were able to breach up to 150 customer accounts.
Camelot said that even though hackers were able to access very limited information after breaching 150 customer accounts, they managed to carry out limited activity in fewer than ten accounts but did not cause any financial loss to customers.
"We would like to reassure our players that we do not display full debit card or bank account details on their online National Lottery accounts. We have suspended all of the affected accounts and have directly contacted these players to help them re-activate their accounts securely.
“We are also urging National Lottery players to change their online password, particularly if they use the same password across multiple websites,” the National Lottery operator said.
Not the first time
Considering the number of times it has been raided by hackers, the National Lottery website seems to be a favourite hunting ground for hackers. Back in December 2016, around 26,500 National Lottery accounts were accessed by hackers after they used data obtained from another breach to access accounts that used the same email address and password combinations.
Following the breach, Camelot suspended the fewer than 50 altered accounts that were the most affected and instigated a compulsory password reset on all 26,500 accounts.
In October last year, hackers targeted the National Lottery website again by flooding it with online traffic, thereby causing a shutdown that lasted around 90 minutes. The DDoS attack prevented thousands of people from buying lottery tickets from the website and exposed how poorly secured the website was from similar attacks.
"Websites who are unable to contain a DDoS attack like this risk losing their audience to competitors if they are unable to minimise the disruption, so it is essential that organisations expect cyber-attacks and know how they will respond," says Kirill Kasavchenko, Principal Security Technologist at Arbor Networks.
Are customers still re-using passwords across accounts?
According to Travis Smith, principle security researcher at Tripwire, the latest breach could be a case of hackers exploiting the use of similar passwords by customers across different accounts. Even though the number accounts breached this time is much fewer compared to during the previous breach, customers whose accounts were breached could be re-using the same passwords from other accounts that were accessed by hackers.
"Password re-use can be a crippling mistake. It’s less risky for attackers to use authentic credentials than to leverage exploits, as security tools are more likely to detect an active exploit. Since the same log-in credentials are commonly re-used across different websites, stolen credentials from one breach can lead to several other breaches (known as password-stuffing or credential-stuffing attacks)," he said.
Smith suggested that National Lottery customers should use password managers which offer an effective way for using unique and complex passwords for every website. "By having a unique password on each site, you eliminate the chances of criminals using password-stuffing attacks against you. If available, two-factor authentication is another great step for reducing this risk," he added.