One-third of those accounts successfully accessed services before all of the affected accounts were shut down, said the Treasury Board, which is responsible for managing the federal civil service as well as the public purse. “These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the Treasury Board of Canada said in a statement. Those hacked accounts were tied to GCKey, which is used by around 30 federal departments and allows Canadians to access various services such as employment insurance, veterans’ benefits and immigration applications. Many of the hacked CRA accounts were targeted as part of a broader “credential stuffing” attack in which more than 9,000 accounts that Canadians use to apply for and access federal services were compromised. “Somebody could be leaving under my name. She has since contacted her bank and other financial institutions to stop the hackers from using her information to commit more fraud. And I still haven’t heard from anybody.”īaverstock expressed frustration at the lack of contact, adding she still does not know how the hackers accessed her account. “And she told me a senior officer would be calling me within 24 hours because my account was completely locked down.
“The lady I spoke to at CRA, she’s said: ‘This is a one-off,”‘ said Baverstock, who has continued to work through the pandemic and did not apply for the support payments. The CRA’s system was also hit by the credential stuffing attacks to access the CRA portal, exploiting a vulnerability that allowed them to bypass the CRA security questions and get into thousands more accounts.Īs well, the CRA portal was directly targeted with a large amount of traffic trying to attack the services through credential stuffing.This advertisement has not loaded yet, but your article continues below. The first of three attacks last week took aim at the GCKey service, which is used by about 30 federal departments and allows Canadians to access services like the My Service Canada account.īy using the previously stolen usernames and passwords, the hackers were able to fraudulently acquire about 9,000 of the some 12 million GCKey accounts.
Users can also opt to use a new security feature that will allow them to set up a unique personal identification number to open an account. It also recommended all CRA “My Account” users enable email notifications, as an additional measure of security.
#Online canada revenue agency update
The agency urged everyone using its online services to update their accounts with unique passwords they don’t use for any other purpose. The hackers obtained the information through “credential stuffing,” a type of attack where attackers obtain username and passwords that have been used on other websites. Government of Canada officials are seen last Monday providing an update on recent cyber attacks against government online services during a technical briefing on Parliament Hill in Ottawa.