Camelot, the company that runs the National Lottery has said 26,500 users may have been the target of a hacking attack. The attack occurred on the 28th November and was picked up by the online security monitoring team. With over 9.5 million people registered on the website this could have been the first wave of an attack.
In its press release Camelot says: “We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or payment of prizes. In addition, no money has been deposited or withdrawn from affected player accounts.”
Around 50 of the accounts show some change of details. Camelot says it is not sure if that was done by the users themselves or the hackers. To prevent any risk to the users it has suspended the accounts and is contacting the owners. It has also reset the passwords of the remaining 26,450 users. They will need to setup a new password the next time they log in.
How was the National-Lottery attacked?
While the fine details of the attack are not yet known, it seems the attack was carried out using stolen credentials. Hackers are believed to have used usernames and passwords that they acquired on the dark web. They then tried those combinations against the National-Lottery website getting a small number of hits.
Password reuse an increasing problem
This is not the first nor will it be the last time that users find their accounts compromised through reuse of passwords. Given the number of online sites that users regularly access, the reuse of passwords is common. As soon as the news broke there was a stream of comment from security vendors attacking user behaviour and password reuse. Unsurprisingly many of them flagged up their own products such as password vaults, as a solution.
The problem, however, is much deeper than that. The vast majority of user authentication systems on the web use old code. It limits the number of characters in a password making it hard to use passphrases. It is also not uncommon to find sites that block the use of symbols such as £$%^&* and many others. These also reduce the ability of users to create complex passwords. At the same time the way that sites store the usernames and passwords is insecure. There is little challenge for hackers in grabbing and reselling user credentials.
All of this suggests that we will see an increase in this type of attack. The problem for websites and businesses is that they have to prove how the attack happened. If it was caused, as in this case, by reuse of credentials then it is hard for them to defend against.
What are the alternatives
The whole security industry agrees that more needs to be done. Many want to see multi-factor authentication as standard. This sounds great but often requires a lot of reengineering to the way sites are set up. There is also a limited number of programmers with the right skills to do this work. As a result, we are not going to see the mass introduction of multi-factor or other security solutions soon.
Even the introduction of the GDPR would not have helped here. This is not a breach caused by a defect on the National-Lottery
Conclusion
Using password managers and password vaults where users can create unique passwords per site is a good option. Another option is to stop reusing passwords across multiple sites and regularly changing passwords. Irrespective of what users could do what is important here is what Camelot did. It identified the attack quickly, disabled accounts and then forced password resets.
