THE NATIONAL LOTTERY HAS BEEN BREACHED, again, with parent company Camelot warning millions of players to change their passwords after detecting suspicious activity with online accounts.
While Camelot is trying to work out how the hack happened, it did note that only up to 150 accounts out of some 10.5 million may have been subject to unauthorised logins, and only "very limited information" may have been viewed.
"We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases, which would affect National Lottery draws or the payment of prizes," Camelot added, meaning no cyber crooks are going to pilfer someone's winning lottery numbers.
That being said, Camelot doesn't appear to be taking the data breach lightly, having not only reported the incident to the rozzers but also to the Information Commissioner's Office and the National Cyber Security Centre; the former is an expected part of data breach reporting but the latter is one way to bring some big cybersecurity guns to bear on the hack.
This is the second data breach the National Lottery has faced in the past year-and-a-half, having seen 26,500 online accounts compromised in November 2016 through the re-use of stolen credentials.
Currently, it would appear the new data breach is also an example of hackers using passwords and credentials pilfered from elsewhere to have a go at breaching the National Lottery accounts.
As there are plenty of us who re-use passwords, such an attack vector is not uncommon.
Travis Smith, principle security researcher at Tripwire, staunchly warned against password re-use and highlights how its an easy way for hackers to umm... hack.
"Password re-use can be a crippling mistake. It's less risky for attackers to use authentic credentials than to leverage exploits, as security tools are more likely to detect an active exploit. Since the same log-in credentials are commonly re-used across different websites, stolen credentials from one breach can lead to several other breaches (known as password-stuffing or credential-stuffing attacks)," he said.
"Password managers can be an effective way for using unique and complex passwords for every website. By having a unique password on each site, you eliminate the chances of criminals using password-stuffing attacks against you.
"If available, two-factor authentication is another great step for reducing this risk. If an attacker gains access to valid credentials, they will be rendered useless if they don't also have access to the device generating the second factor code."
This might seem bleedingly obvious to many of you, but given how so many sites and services need passwords, it's easy to fall into the trap of re-using passwords when you just want to make an easy login and get cracking with the latest Netflix series or buy a fresh Faberge egg. µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites