Canada Revenue Agency suffers credential stuffing attacks

The CIO office of the Government of Canada has issued a statement in which it reports cyberattacks of credential stuffing directed against the GCKey service (single sign-on system used to access multiple Canadian government services) and CRA (Canadian Revenue Agency) accounts.

Of the approximately 12 million active GCKey accounts in Canada, the credentials of 9,041 users were fraudulently acquired and used to attempt to access government services, a third of whom accessed those services. The affected GC Key accounts were terminated as soon as the threat was discovered and users whose credentials were revoked are being informed, providing instructions on how to receive a new GCKey.

As part of the attack on GCKey, approximately 5,500 CRA accounts were also targeted by cybercriminals. Access to all of these affected accounts has been disabled to maintain the security of taxpayer information and the agency is restoring user access to their CRA accounts..