The breach occurred on November 28, although no money has been taken from users” accounts.
A spokesman for Camelot, who run the lottery, said it became aware of “suspicious activity” two days ago.
They said: “We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited.
“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
Thousands of people have had their accounts accessed – however a tiny percentage of these accounts have been altered.
“This was limited to some of their personal details being changed – and some of these details may have been changed by the players themselves.
“However, we have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely.
The statement continued: “Of our 9.5 million registered online players, we believe that around 26,500 players’ accounts were accessed.
A much smaller number – fewer than 50 – have had some activity take place within the account since it was accessed.
Camelot said they were now contacting affected users and recommending password changes.
They concluded: “Cyber criminals such as this are persistent, and we are continuing to monitor and protect our systems.
“We are also working closely with the National Crime Agency and the National Cyber Security Centre on an ongoing basis on this criminal matter.”
This is a breaking story. More to follow…