A series of cyberattacks against the Canadian Revenue Association and the government’s GCKey system has potentially breached the digital accounts of thousands.
According to a release from the Government of Canada, a series of “credential stuffing” attacks were mounted on the GCKey service and CRA accounts. These attacks used passwords and usernames collected from previous hacks of accounts worldwide.
- See also:
“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services,” the government wrote in a release, “a third of which accessed such services and are being further examined for suspicious activity.”
The GCKey system is used by 30 federal departments and allows Canadians to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees, and Citizenship Canada account.
Affected GC Key accounts were cancelled immediately and officials say they are working with those impacted to restore the services.
Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent credential stuffing attack aimed at the tax agency.
“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information,” the government said.
The RCMP is now reportedly investigating to determine if any information was obtained from these accounts. The Office of the Privacy Commissioner was also contacted as a result.
A credential stuffing attack is when large amounts of previously obtained passwords and login information are injected into a system to penetrate its security, relying on the fact that many people reuse the same passwords across multiple accounts.