Hackers targeted thousands of CRA, government service accounts in ‘credential stuffing’ attacks

The federal government is warning Canadians not to reuse old passwords after thousands of accounts, including CRA logins, were targeted in a credential stuffing attack.

Hackers obtained and attempted to use the GCKey passwords and usernames of 9,041 people, the Treasury Board of Canada Secretariat said in a statement Saturday.

GCKey is the online authentication system that allows people access to Service Canada, Refugees and Citizenship Canada and more than two dozen other government departments.

For a third of the accounts affected, the hackers were successful in accessing government services online. Those accounts will be “further examined for suspicious activity,” the statement said.

As part of that attack and another recent incident, 5,500 CRA accounts were targeted.

The federal government said all compromised accounts have been disabled and those affected are being contacted. They will receive instructions on how to restore their GCKey or CRA MyAccount access.

Credential stuffing is a form of cyberattack that relies on databases of stolen login information made available through previous data breaches. The hackers use those credentials try to gain access to different online services.

3:24 Cyberattack compromises data of 15 million LifeLabs customers

“The Government of Canada is taking action in response to ‘credential stuffing’ attacks mounted on the GCKey service and CRA accounts,” the statement said.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

The federal government said it’s investigating the attacks along with the RCMP to see if there were privacy breaches or information obtained by the unauthorized users. The Office of the Privacy Commissioner has been contacted as well.