Camelot said it believed around 26,500 players’ accounts had been accessed, but that potentially fraudulent activity had taken place on “fewer than 50”.
The lottery operator said it became aware of “suspicious activity” on a number of players’ online accounts on Monday.
One player Nigel McKee, a tech operative from Randalstown in County Antrim, received an email from the National Lottery with the subject line “Important Player Message”, which said: “We regret to inform you that your account has been subject to an unauthorised log-in.
“This may have resulted in any personal information held within your account being accessed.”
Mr McKee, 21, said he was thinking of cancelling his account following the hack.
“It would make me more inclined to do it in store with cash. I’ll probably just cancel it altogether,” he said.
A spokesman for the Information Commissioner’s Office said: “We are aware of this incident and we have launched an investigation.
“The Data Protection Act requires organisations to do all they can to keep personal data secure - that includes protecting it from cyber attacks. Where we find this has not happened, we can take action.”
He added: “Organisations should be reminded that cyber security is a matter for the boardroom, not just the IT department.”
Camelot said: “Of our 9.5 million registered online players, we believe that around 26,500 players’ accounts were accessed.
“A much smaller number - fewer than 50 - have had some activity take place within the account since it was accessed.
“This was limited to some of their personal details being changed - and some of these details may have been changed by the players themselves.
“However, we have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely.
“In addition, we have instigated a compulsory password reset on the accounts of the 26,500 affected players.”
Camelot said there had been no unauthorised access to “core National Lottery systems” or any databases, which would affect National Lottery draws or payment of prizes.
A statement added: “No money has been deposited or withdrawn from affected player accounts.”
The operator said it believed that email addresses and passwords used on the lottery website may have been stolen from another site where affected players use the same details.
The National Lottery hack follows online breaches affecting Tesco, Yahoo and TalkTalk, among others, within the last two years. TalkTalk said the fallout from the attack, in which 15,656 bank account numbers were accessed, had cost it £42m.
Tony Neate, chief executive of internet security awareness organisation Get Safe Online, said National Lottery players should change their account username, password and security questions, “as failure to do so immediately could lead to your account being breached now or in the future and give criminals access to personal information that they could use to unlock other online accounts you may have”.