The Virginia Lottery has a new message for online customers - don't play games with passwords.

About 1,000 online lottery accounts were compromised earlier this month when the state agency noticed "irregular activity" after outside hackers obtained passwords that account owners had used elsewhere. The lottery temporarily locked affected accounts until customers changed their passwords to prevent access to sensitive information.

"No personal or financial information was obtained or compromised," spokesman John Hagerty said Thursday.

"It was a teaching moment, absolutely," Hagerty said. "We feel like our security procedures worked and are working as designed."

The lottery notified online players on Feb. 9 that some accounts had been compromised by use of email addresses and passwords that internet hackers had obtained elsewhere. The information allowed hackers to access accounts, but not "personal identifiable information," such as Social Security numbers or banking information, which are not displayed.

The agency said it would temporarily lock accounts after noticing "unusual activity" and require their owners to change their passwords and, in some cases, verify their identities. "If you have not already done so, we strongly encourage you to complete that process with a strong password unique to your account," it said in the email.

Internet security has become a much bigger issue at the lottery because it now has about 500,000 online accounts active on any given day, as more people play its games by computer, including Instant Win games that can only be played online. The lottery requires players to be at least 18 years old and located in Virginia, which it screens with online tools.

Attempted security breaches are common at the lottery, as they are at all other public and private companies doing business over the internet, Haggerty said. "We see this all the time - the bad actors trying to get in."

The 1,000 or so accounts affected represent about 0.2% of total accounts for online players. The lottery does not know "where the bad actor got credible user names and passwords," Hagerty said in an email. "We just know it was not our site."

"We do know that a major factor in this was people using the same user names and passwords for multiple accounts," he added.

"There are bad actors out there that want to steal your information," Hagerty said. "We caught this and nobody's personal identifiable information was compromised.

"But bad guys are going to keep trying, so this is a great time to remind everyone to follow cybersecurity best practices" and regularly change passwords, create strong unique passwords for individual accounts, and regularly monitor their accounts for unusual activity.