Canadian revenue agency faces ‘credential stuffing’ attacks

The federal government is warning Canadians not to reuse old passwords after thousands of accounts, including CRA logins, were targeted in a credential stuffing attack.

Canadian revenue agency faces ‘credential stuffing’ attacks

Hackers obtained and attempted to use the GCKey passwords and usernames of 9,041 people, the Treasury Board of Canada Secretariat said in a statement Saturday.

GCKey is the online authentication system that allows people access to Service Canada, Refugees and Citizenship Canada and more than two dozen other government departments.

For a third of the accounts affected, the hackers were successful in accessing government services online. Those accounts will be “further examined for suspicious activity,” the statement said.

As part of that attack and another recent incident, 5,500 CRA accounts were targeted.

The federal government said all compromised accounts have been disabled and those affected are being contacted. They will receive instructions on how to restore their GCKey or CRA MyAccount access.

“The Government of Canada is taking action in response to ‘credential stuffing’ attacks mounted on the GCKey service and CRA accounts,” the statement said.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

The federal government said it’s investigating the attacks along with the RCMP to see if there were privacy breaches or information obtained by the unauthorized users. The Office of the Privacy Commissioner has been contacted as well.

Originally published at Global news