National Lottery operator Camelot thinks 26,500 accounts have been hacked.
The company said it didn't think its own systems had been compromised, but that players' login details had been pinched from elsewhere. It discovered "suspicious activity" after online security monitoring on Monday.
"No money has been deposited or withdrawn from affected player accounts," it said in a statement. "We are currently taking all the necessary steps to fully understand what has happened."
The company says it doesn't hold full debit card or bank account details.
Of its 9.5m registered online players, Camelot said a small percentage had been affected, though it was still 26,500 accounts. Fewer than 50 "have had some activity take place within the account since it was accessed", including personal details being changed. The company said these could have been changed by the players themselves, but have suspended them as a precautionary measure and are contacting the players.
A compulsory password reset has been placed on the thousands of affected accounts.
The Information Commissioner's Office said Camelot submitted a breach report last night and an investigation was taking place.
Camelot is also working with the National Crime Agency and the National Cyber Security Centre on "this criminal matter". It encouraged any customers with concerns to contact the firm directly.
It marks the latest in a spate of cyber-related incidents at prominent companies. Tesco Bank said a total of £2.5m was stolen from around 9,000 of the bank's online accounts in a "systematic, sophisticated attack" earlier this month. It said personal data was not compromised and all accounts affected had been refunded.
And users of the Deliveroo app said their accounts had been billed for food they hadn't ordered. The company denied a data hack and said hacks had been carried out using passwords stolen from elsewhere.