The accounts of thousands of Canadians who had accounts with the Canada Revenue Agency have been hacked. The hackers are reportedly said to have used a “credential stuffing” scheme, in which they obtained personal details. A Canadian woman identified as Leah Baverstock is among the Canadians whose accounts were compromised. She said she received an email on August 7 informing her that her application for the Canadian Emergency Response Benefit (CERB) had been accepted.
Baverstock said she was confused because she had not applied for the program.
After learning about the breach, Baverstock called the anti-fraud unit, but they were not operating due to COVID. She went ahead and called Service Canada, and informed them about what had happened to her social insurance number. She also informed the bank and other accounts so that they could put some additional security in place. According to Baverstock, the social insurance number was their Canadian identification number, so if somebody had access to that, then they had access to basically anything. Baverstock was worried about how a stranger could live under her name and her social insurance number.
Baverstock said she couldn’t t even log into her CRA account, but other people could. She said she had applied for a code to access the report, but she had not received it since March. Baverstock said she was not happy with the CRA’s response, who advised that a senior officer would call her within 24 hours, but she has not received the call yet.
Government Officials confirmed Monday 11,200 accounts for the Government of Canada services were compromised, including CRA accounts and “GCKey” accounts, which 30 government departments use. The officers said they learned about the attack on August 7, but didn’t contact the RCMP until August 11.
Marc Brouillard, the acting chief technology officer for the Government of Canada, said that ‘bad actors’ were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to the users’ CRA accounts.
Specialists in cybersecurity have reported that reusing your passwords can make hackers quickly access your accounts, given that a single breach could give hackers the tools to access several accounts using your details. Nonetheless, they said passwords weren’t the full picture of that breach.