National Lottery operator Camelot says as much in its statement: "We would like to make clear that there has been no unauthorised access to core National Lottery systems or any of our databases."
"We believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details."
This is called credential stuffing, whereby previously exposed usernames and passwords are opportunistically plugged into other websites and services, since it's not uncommon for people to recycle user/pass combinations. If hacking is like breaking down a door, or at least picking the lock, then credential stuffing is like finding a key at the bottom of the road and trying it in every door, hoping to land on a fit. They are very, very different.
The whole situation is still alarming, of course. For one, there's no word on where those 26,500 account details came from. A previous hack or phishing campaign, perhaps? Worst case scenario: a recent hack of a site or service that has gone, as yet, undetected. The National Crime Agency and National Cyber Security Centre are investigating, so we might learn more in due course.
Camelot's immediate reaction has been to suspend the affected accounts and contact users about reactivating them. There's been no financial fallout, but obviously there are some personal details attached to the accounts that may've been seen/scraped.
LinkedIn was hacked, Ashley Madison was hacked, TalkTalk was hacked, Tesco Bank was hacked. The National Lottery was not hacked.