National Lottery Credential Stuffing Attack
On the 16th of March, The National Lottery advised its 10.5 million account holders to change their passwords after reporting they had been the subject of a ‘credential stuffing’ cyber attack.
Camelot UK Lotteries confirmed that approximately 150 accounts suffered an unauthorised login, although fewer than ten had actual unauthorised activity within the account. Camelot has reported that no customer has suffered any financial loss.
Credential stuffing is where previously stolen username (often an email address) and password combinations are used to attempt account logins on other websites. This relies on users’ poor cyber security practices – in this case the re-use of the same username or email address and password combinations across multiple sites.
Cyber criminals employ automated tools to attempt these logins in the hope that a successful login is achieved. Internet provider Akamai estimate that almost half (43%) of the 17 billion login attempts they tracked in a two-month period in 2017 were fraudulent in nature.
In this instance, due to the type of data involved, the advice for National Lottery customers with online accounts is to follow Camelot’s advice and reset the password on any service where you’ve used a similar password.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.