Statement from the Office of the Chief Information Officer of the Government Canada on recent credential stuffing attacks

August 15, 2020 – Ottawa, Ontario – Treasury Board of Canada Secretariat

The Government of Canada, like every other government and private sector organization in the world, deals with ongoing and persistent cyber risks and threats. That is why the government has robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible.

The Government of Canada is taking action in response to “credential stuffing” attacks mounted on the GCKey service and CRA accounts. These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.

Used by approximately 30 federal departments, GCKey allows Canadians to access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity. 

Affected GC Key accounts were cancelled as soon as the threat was discovered and departments are contacting users whose credentials were revoked to provide instructions on how to receive a new GCKey. More information is available on Canada.ca. If you have immediate concerns, please call 1-800-O-Canada.

Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA. Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount.

The government is continuing its investigation, as is the RCMP to determine if there have been any privacy breaches and if information was obtained from these accounts. As well, the Office of the Privacy Commissioner has been contacted and alerted to possible breaches.

To help reduce the risk of cyberattacks, always use a unique password for all online accounts. Do not reuse the same password for different systems and applications and regularly monitor all online accounts for suspicious activity.

The safety and security of Canadians, and their information, is the Government of Canada’s top priority. We continue to actively investigate these attacks and are taking swift action to implement additional security features as the investigation continues.

Associated Links

• Best Practices for Passphrases and Passwords
• Frequently Asked Questions (FAQs) – GCKey Security and Privacy