Malicious actors launched credential stuffing attacks that targeted Canada's GCKey service and Canada Revenue Agency (CRA) accounts.
On August 15, the Treasury Board of Canada Secretariat announced that the Government of Canada was in the process of responding to a series of credential stuffing attacks. Those campaigns had compromised the credentials of 9,041 users of GCKey, an electronic credential which enables Canadians to access online government services such as employment. More than 30 federal departments use GCKey to help provide services to about 12 million active users. For a third of the users affected by these attacks, the malicious actors succeeded in accessing their services, prompting an investigation into whether additional suspicious activity had occurred. In the meantime, the Government of Canada said it had canceled affected individuals' accounts and provided them with instructions on how to receive a new GCKey. The Treasury Board of Canada Secretariat said that credential stuffing attacks had also affected 5,500 CRA accounts. As reported by CBC News, many Canadians reported suspicious activity involving their CRA accounts in early August. Many said that someone had changed the email addresses associated with their accounts, altered their direct deposit information and applied COVID-19 relief in their names. The CRA responded to that activity by disabling access to all accounts and notifying affected individuals of what had happened. The Government of Canada was still investigating these attacks at the time of this writing. Per the Treasury Board of Canada Secretariat's statement:
The safety and security of Canadians, and their information, is the Government of Canada’s top priority. We continue to actively investigate these attacks and are taking swift action to implement additional security features as the investigation continues.
While this investigation remains ongoing, affected individuals should begin looking into how they can defend their GCKey and CRA accounts against credential stuffing attacks. One of the best ways they can do this is to use a strong, unique password each of their accounts. Click here to view some expert guidance on the subject.
