An internal “vulnerability” allowed hackers to access thousands of Canadians’ accounts for online government services, federal officials said Monday at a press conference.
Around 11,200 Government of Canada accounts, including Canada Revenue and GCKey accounts, were hacked over the weekend, but the threat is now under control, government officials said. The accounts accessed included employment insurance and immigration applications.
The hackers used a technique called “credential stuffing” using thousands of stolen usernames and passwords from other websites and applying them to the government websites, accessing accounts where people used the same information.
“By using previously hacked usernames and passwords, the bad actors were able to fraudulently acquire approximately 9,000 of the roughly 12 million active (GCKey) accounts,” Treasury Board of Canada Secretariat Marc Brouillard said at the press conference.
“The (Government of Canada) has worked around the clock to reduce the threat to Canadians affected…The credential stuffing on GC has ceased.”
The affected accounts were cancelled and the government is contacting users who were compromised to give them information on establishing a new account.
Three separate attacks occurred, with the last one Sunday, causing Canada Revenue to temporarily shut down accounts. The breach comes as millions of Canadians have used and are using the agency’s website to apply for emergency financial support during the COVID-19 pandemic.
The hackers were also able to “exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to a user’s CRA account,” Brouillard said.
The wage subsidy accounts used by businesses are back online and the services for individuals should be up and running by mid-week, officials said.
Officials advised people to use different usernames and passwords for each website.
Law authorities are investigating the breach.
Copyright 2021 Anadolu Agency. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.