PlayNow users encouraged to change passwords after credential stuffing attack
British Columbia Lottery Corporation operator continues to investigate incident as malicious actors looked to hack accounts by using login information stolen from other sites
British Columbia monopoly operator PlayNow has urged all players to change their passwords after the firm detected credential stuffing on its site last week.
On July 24, the company owned by the British Columbia Lottery Corporation (BCLC) identified an unusual amount of high traffic on its site.
It has since been revealed that the traffic stemmed from criminals trying to hijack the site using stolen passwords, with a “small percentage” of the PlayNow account base impacted.
Credential stuffing sees hackers attempt to gain access to an account by using email addresses and passwords previously exposed or stolen from other companies, with the idea being many users deploy the same login credentials for multiple sites.
PlayNow is also operated by the BCLC in Saskatchewan and Manitoba as part of a partnership with the Saskatchewan and Manitoba gambling authorities.
The operator immediately notified the affected players, informing them that their accounts had been locked in an attempt to block the suspicious traffic.
Customers have since been encouraged to change their passwords. Players have also been asked to consider changing login details for other websites so that they are not identical and therefore less susceptible to credential stuffing.
Bosses confirmed the group is continuing to investigate the hack, while both British Columbia’s Office of the Information and Privacy Commissioner, and Gaming Policy and Enforcement Branch were informed of the situation.
In Manitoba, both the province’s ombudsman and the Liquor, Gaming and Cannabis Authority were notified, as were the Saskatchewan Information and Privacy Commissioner, and the Royal Canadian Mounted Police.
Pat Davis, BCLC president and CEO, revealed the firm was still looking into the incident, explaining: “This is a deeply concerning incident and a cautionary tale for everyone with multiple online accounts.
“Our investigation remains ongoing, and we have found no evidence that our systems have been compromised, or that player login information was stolen from our systems.”
He added: “Integrity and security are at the core of our business and our games. We are committed to continuing our ongoing evaluation and enhancement of PlayNow security controls to maintain the safety of our players’ information going forward.”