The Canada Revenue Agency's website was just hit with a "credential stuffing" cyberattack, giving hackers access to 9,041 users' usernames and data. The Government of Canada temporarily shut down access to its online services as the bad actors tried to access GC's services. Approximately 5,500 GCKey service and CRA accounts were affected by this attack and another recent credential stuffing attack.
The attacks use passwords and usernames taken from previous hacks of accounts globally, taking advantage of the fact that many people reuse passwords and usernames on multiple accounts. Here's another reminder to please use different usernames and passwords for different accounts.
GCKey is used by around 30 federal departments, giving Canadians access to services like Employment and Social Development Canada's My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. A third of the 9,041 accounts acquired accessed such services and are being examined for suspicious activity.
The affected accounts were cancelled as soon as the threat was discovered, and the appropriate departments are getting in touch with users to let them know how to receive a new GCKey.
If you have immediate concerns, you can call 1-800-O-Canada. There is also more information on Canada.ca.