About 26,500 National Lottery accounts are feared to have been hacked, according to its operator Camelot.
The firm said it did not believe its own systems had been compromised, but rather that the players’ login details had been stolen from elsewhere.
The company said that no money had been taken from or added to the compromised accounts.
But it added that there had been other suspicious activity on fewer than 50 of them.
The Information Commissioner’s Office said it had launched an investigation into the matter.
“The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.
“Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.”
Camelot said it became aware of the problem on Sunday.
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” it said in a statement.
“We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited.
“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
A spokeswoman added that the accounts represented a small fraction of the draw’s 9.5 million registered online players.
Camelot is contacting the owners of the accounts thought to have been compromised and instructing them to change their passwords.
One security expert said there had been many recent attacks where logins stolen from one platform had been tested and used to breach another.
But he still had concerns about Camelot’s explanation.
“If there’s 26,500 accounts here and they are saying the credentials are correct but they didn’t come from us, they still let an attacker log in 26,500 times,” said Troy Hunt.
“That alone is something that illustrates a deficiency.”
Other recent attacks targeted at the UK public include:
- Deliveroo – users of the takeaway food app said their accounts had been billed for food they had not ordered. The firm said the hacks had been carried out using passwords stolen from elsewhere
- Sony PlayStation Network – hundreds of gamers complained about being locked out of their online accounts. Many said that once Sony had restored their access, they had found that funds were missing. The firm suggested the users might have had their credential stolen by a phishing campaign
- Tesco Bank – a total of £2.5m was stolen from about 9,000 of the bank’s online accounts. The firm has said it was a “systematic, sophisticated attack” but has not provided further detail
The University of Surrey’s Prof Alan Woodward says these rules should be observed when setting an online password:
Don’t choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet’s name you’re in trouble.
Choose words that don’t appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
Have different passwords for different sites and systems
If hackers compromise one system you do not want them having the key to unlock all your other accounts.
Keep them safely
With multiple passwords it is tempting to write them down and carry them around with you. Better to use some form of secure password vault on your phone.