Thousands of players have been sent emails warning of “suspicious activity” on their online accounts.
Lottery organiser Camelot believe around 26,500 player accounts were accessed.
No money has been withdrawn or deposited from affected player accounts and bank details have not been taken, it said.
However, “some of the personal information” held in players” accounts may have been stolen in the attack.
In a statement a spokesperson for lottery organiser Camelot said: “We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.”
Of the thousands of accounts hacked, only 50 had some activity take place since being accessed on November 28.
Camelot has suspended all of the accounts where activity has taken place as a precautionary measure.
Meanwhile, the holders of the 26,000 accounts affected will be issued with a compulsory password reset.
A Camelot spokesperson added: “Cyber criminals such as this are persistent, and we are continuing to monitor and protect our systems.
“We are also working closely with the National Crime Agency and the National Cyber Security Centre on an ongoing basis on this criminal matter.
We’d like to reassure our customers that protecting their personal data is of the utmost importance to us.
“We are very sorry for any inconvenience this may cause to our players and would like to encourage those with any concerns to contact us directly, so we can discuss it with them in more detail.”
MORE TO FOLLOW