Cyber Incident Victim: Mind & Motion
Date:
Mar 2018
Location:
United Kingdom
Summary
The National Lottery experienced a security breach where attackers used credential stuffing techniques to access online accounts, impacting approximately 10.5 million players. Around 150 accounts were compromised, with fewer than 10 exhibiting suspicious activity, though no financial losses occurred and scheduled operations remained unaffected. The operator advised all users to change passwords, particularly those reused across multiple sites, suspended affected accounts, and directly contacted impacted players to facilitate secure reactivation. The attack leveraged previously leaked credentials to automate login attempts against accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The National Lottery experienced a cybersecurity incident beginning on March 7, 2018, when attackers launched a credential stuffing campaign targeting online player accounts. This technique involved automated attempts to access accounts using previously leaked email and password combinations traded among fraudsters. Camelot, the lottery operator, detected suspicious activity through routine security monitoring, though the attacks remained sporadic and low-volume, making them difficult to distinguish from legitimate player logins. Over an unspecified period following the initial breach, hackers successfully accessed approximately 150 accounts. In fewer than 10 of these compromised accounts, unauthorized activity occurred, though Camelot confirmed no financial losses for affected customers. The attack did not disrupt the scheduled £14 million Euromillions draw occurring shortly after detection.
Camelot responded by suspending all directly impacted accounts and contacting those users to securely reactivate access. The company issued a mass email alert to all 10.5 million registered online players, urging password changes—particularly for those reusing credentials across multiple websites. A public notice was prominently displayed on the National Lottery website describing the incident as "suspicious activity on a very small number of players’ accounts." Security measures emphasized credential hygiene due to the attack’s reliance on recycled login details from prior breaches. While the operation’s full technical scope wasn’t disclosed, Camelot characterized the incident as limited in scale and impact, with no evidence of systemic network compromise beyond the credential-based account intrusions.