Credential-stuffing cyberattacks on CRA and GCKey accounts
What happened
In mid-August 2020 the Government of Canada disclosed that thousands of online accounts had been compromised in a series of credential-stuffing attacks targeting GCKey, the centralised login service used to access roughly two dozen federal departments, and the Canada Revenue Agency's (CRA) own sign-in portal. Credential stuffing relies on usernames and passwords stolen in unrelated breaches elsewhere and replayed in bulk against new sites, exploiting the common habit of reusing the same password across services. The Treasury Board of Canada Secretariat said attackers obtained and tried to use GCKey usernames and passwords belonging to thousands of people.
According to the Office of the Chief Information Officer's statement, the government revoked about 9,300 GCKey credentials and put measures in place to block further use of the compromised logins. The CRA said roughly 5,500 of its accounts were targeted across the GCKey attack and a separate credential-stuffing attempt aimed directly at the agency. The CRA temporarily shut down its online services, including My Account, My Business Account and Represent a Client, to contain the activity and protect taxpayer data. As Global News reported, access to all affected accounts was disabled while the agency contacted those affected.
Later forensic work revised the scale sharply upward. In a February 2024 special report to Parliament, the Office of the Privacy Commissioner of Canada found that the attacks exposed the personal information of about 34,000 individuals through CRA accounts and a further 14,000 through Employment and Social Development Canada accounts, with attackers in many cases changing direct-deposit details and filing fraudulent claims for pandemic-era CERB and other benefits. The matter prompted an RCMP investigation and a class-action lawsuit.
Assessment
The available evidence points to financially motivated cybercrime, not state-directed hybrid warfare. The technique, credential stuffing with passwords harvested from prior breaches and reused by victims, is a commodity criminal method, and the apparent goal was theft via fraudulent benefit and tax-refund claims during the pandemic. No reputable reporting or official finding has attributed the attacks to a state actor. The Privacy Commissioner's report instead faulted weak federal authentication standards and delayed detection, framing this as a security and identity-assurance failure exploited by ordinary criminals.
This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.