Digital Privacy Industry News

Canada Revenue Agency Discloses Credential Stuffing Attack on 5,500 Service Accounts

A credential stuffing attack targeting Canada Revenue Agency (CRA) accounts has forced the government tax collector to suspend its online services over the weekend.

The compromised accounts were linked to the GCKey portal, a system used by 30 federal departments allowing citizens to access services such as employment insurance, immigration applications and COVID-19 relief benefits.

While the CRA contained the breach by temporarily shutting down its services, citizens looking to apply for government benefits will be unable to do so.

The agency said in a statement that the attackers used stolen credentials to fraudulently obtain government services and compromise the personal information of Canadian citizens.

“The Government of Canada is taking action in response to “credential stuffing” attacks mounted on the GCKey service and CRA accounts,” the CRA said. “These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

The CRA said password and username combination of 9,041 users were “used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity.”

“Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA,” the agency added. “Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount.”

Although compromised GCKey accounts were cancelled, and users will be given instructions on how to regain access to the online portal, the CRA urges citizens to remain vigilant and always use unique passwords when setting up an online account.

This latest attack proves once again how poor cyber hygiene can lead to identity theft and fraud. Since the beginning of the pandemic, cybercriminals have targeted government COVID-19 relief programs across the globe, in an attempt to defraud unsuspecting citizens and steal their personal information.

While the attack may seem to be the work of a “criminal mastermind,” the perps made use of previously breached information such as usernames and passwords, which could have been scraped from forums and databases.

Now more than ever, you should start paying attention to your digital identity and online patterns. While maintaining healthy cyber behavior and enabling multiple safeguards on your online accounts can make a difference, nobody can predict or prevent data breaches from happening.

However, you can take proactive measures to limit the impact by keeping track of your vulnerable data and online exposure. Bitdefender’s Digital Identity Protection solution helps you find out what the digital world knows about you, so you can immediately act and prevent potential damages.

About the author

Alina Bizga

Alina has been a part of the Bitdefender family for some years now, as her past role involved interfacing with end users and partners, advocating Bitdefender technologies and solutions. She is a history buff and passionate about cybersecurity and anything sci-fi. Her spare time is usually split between her two feline friends and traveling.