Camelot, the operator of the UK National Lottery, has confirmed that 26,500 player accounts have been hit with "suspicious activity". The organisation said that a much smaller number – roughly 50 – have had unauthorised activity take place since been accessed.
In a statement published online on 30 November, Camelot said: "On 28 November 2016, as part of our online security monitoring, we became aware of suspicious activity on a very small proportion of our players' online National Lottery accounts."
It stressed there was "no unauthorised access to core National Lottery systems" or any of its main databases, that no draws or prize payments were impacted and that no money has been deposited or withdrawn from player accounts.
It added: "We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.
"We do not hold full debit card or bank account details in National Lottery players' online accounts and no money has been taken or deposited.
"However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed."
Camelot said it believes the activity was limited to "some of their personal details being changed" however it is currently probing the incident. Any accounts that have been tampered with are being suspended and impacted users are now being contacted.
"We have instigated a compulsory password reset on the accounts of the 26,500 affected players," Camelot said, adding: "We'd like to reassure our customers that protecting their personal data is of the utmost importance to us."
It continued: "Cyber criminals such as this are persistent, and we are continuing to monitor and protect our systems. We are also working closely with the National Crime Agency (NCA) and the National Cyber Security Centre (NCC) on an ongoing basis on this criminal matter.
"We are very sorry for any inconvenience this may cause to our players and would like to encourage those with any concerns to contact us directly, so we can discuss it with them in more detail."
As always in this situation, users are now being advised to change their passwords and ensure they are not re-used from other online services. Any future password should be long, unique and contain a mixture of numbers, letters and symbols.
"Consumers need to understand the importance of proper password management and avoiding recycling logins for multiple services, especially if the service deals with financial and personal data," said David Kennerley, director of threat research at cybersecurity firm Webroot. "The forced password reset for the 26,500 accounts affected is exactly the right response."
The National Lottery has 9.5million registered online players.
If you have received an email from Camelot or the UK National Lottery please contact: firstname.lastname@example.org or @Jason_A_Murdock