BREAKING: Canada Revenue Agency Now Says 48500 Accounts Affected By Credential Stuffing Attack

Well, this is a wee bit alarming.

The Canada Revenue Agency or CRA for short now says a mind blowing 48500 accounts were affected by the credential stuffing attack that happened in August that forced the CRA website offline for a few days and affected a number of government departments in the process while security was improved. CTV News has the details:

In a major update to the impact of a series of credential stuffing attacks on government websites including the Canada Revenue Agency, the country’s top information officer now says that “suspicious activities” have been found on 48,500 CRA user accounts.


While it was initially reported that 5,500 CRA account users had their personal information accessed, officials then updated that number, saying a total of 11,200 accounts across Government of Canada services were compromised in the attacks. These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications.

Every Canadian should be running to the CRA website and doing the following right now:

  1. Log in and see if you can still do so. If you cannot, you may have a problem.
  2. If you can log in, check to see if you applied for the Canada Emergency Response Benefit. If you haven’t but the CRA website says you have, you have a problem.
  3. Check to see if your address or banking information has changed. If it has you have a problem.

Now if any of the above falls under the “you have a problem” category, you should do what is recommended in this release from the CRA, which is to call 1-800-959-8281 (English) or 1-800-959-7383 (French) immediately.

If all is well with your CRA account, I would instantly change your password to something is at least 8 characters long, contains an uppercase letter, a number, and for bonus points a special character (!@#$%^&* for example). And I would enable email notifications on your account so that you can get notified of any changes. Especially ones that you didn’t make.

The bottom line is that the Government of Canada has now seriously dropped the ball here. To have about 4 times as many people affected by this hack is appalling. And they are beyond due to answer some serious questions about why this happened and why they should be trusted to protect the personal information of Canadians going forward.

Leave a Reply

%d bloggers like this: