Thousands of Canadian Gov’t Accounts Hacked, Lessons Learned from this Attack

The Government of Canada recently confirmed that thousands of Canadian Government accounts had been hacked.

In a statement issued last August 15th, the Treasury Board of Canadasaid that the attackers zeroed-in the government’s GCKey system – a single sign-on (SSO) system used by 30 Canadian federal departments for the public to access different government services, including employment, citizenship, social services such as access to Covid-19 relief programs. GCKey is also used as an alternative access route to login to the Canadian Revenue Agency (CRA) systems.

Credential Stuffing Attack

In the August 15th statement released by the Treasury Board of Canada, out of 12 million GCKey accounts, 9,041 accounts were compromised via the cyberattack called “credential stuffing”. In a credential stuffing attack, an attacker uses username and password combinations stolen from previous unrelated data breaches.

To date, there are billions of username and password combinations available online. In July 2020, Digital Shadows reported that there are more than 15 billion credentials in circulation in cybercriminal marketplaces, many of them found on the dark web. Credential stuffing attacks operate on the premise that many people reuse usernames and passwords across multiple online accounts.

Attackers use these publicly available username and password combinations to launch credential stuffing attacks. They use automation, also known as bots, to launch large-scale credential stuffing attacks. CNN reported that at one point over the weekend, Canadian officials disclosed that they detected as many as 300,000 attempted credential stuffing attacks to access accounts on at least 24 government systems.

In its August 15th statement, the Treasury Board of Canada said that out of the total compromised GCKey accounts, 5,500 targeted CRA accounts. 

“Early on Saturday morning a CRA portal was directly targeted with a large amount of traffic using a botnet to attempt to attack the services through credential stuffing,” Marc Brouillard, acting Chief Information Officer at the Treasury Board of Canada told CNN. “Out of an abundance of caution the CRA portal was shut down to contain the attack and implement measures to protect CRA services.”

One of the thousands of people who had their GCKey account compromised told CBC about her ordeal. “On Tuesday, I was just checking my email and I got a legitimate email from CRA saying that my email address had essentially been removed from my account and that I wouldn’t be getting any more notifications through this email address,” she said. “It was a legit email from CRA, I had recently received the same sort of style of email that told me my notice of assessment was ready when I did my taxes.”

Changing to another computer, the victim accessed her CRA account and that’s when she noticed changes on her account, including her direct deposit information. “It went to a different bank altogether,” the victim said. Within an hour of getting the email, the victim said she was just in time in putting a stop to the direct deposit options on the account.

Tests conducted by BleepingComputer on the Canadian Government’s websites showed that accessing sites such as CRA showed that GCKey doesn’t have multi-factor authentication enabled in the workflow. BleepingComputer also didn’t find any security CAPTCHA (short for Completely Automated Public Turing Test To Tell Computers and Humans Apart in use). 

“When signing-in from a new computer, the user would be asked a security question (e.g. pet’s name), however, there is no mechanism prompting the user for a 2FA code, for example, to be sent via a text message (SMS),” BleepingComputer reported.

While the recent cybersecurity incident on the Canadian Government’s GCKey system was attributed to credential stuffing attacks in the August 15th statement by the Treasury Board of Canada, in a recent press call, Brouillard, the acting Chief Information Officer at the Treasury Board of Canada said that the compromised of CRA accounts was made possible as attackers were also able to exploit a vulnerability in the configuration of a security software solution, allowing the attackers to bypass CRA security questions and gain access to users’ CRA accounts.

Brouillard said this vulnerability was patched. The acting Chief Information Officer at the Treasury Board of Canada, however, refused to give more details about this security vulnerability.

Preventive and Mitigating Measures Against Credential Stuffing Attacks and Software Vulnerability Exploitation

Here are some of the best practices in preventing credential stuffing attacks and software vulnerability exploitation:

  • Keep all software up to date.
  • Encourage users to use strong passwords and never to reuse login details across different online platforms.
  • Use an extra layer of protection to users’ accounts to prevent bots attacks through the use of multi-factor authentication or CAPTCHA.

Notes About Bots

The recent cybersecurity incident on the Canadian Government’s GCKey system was made possible through the use of bots – referring to software applications that run automated tasks over the internet. Legitimate and malicious bots abound online. The bot used by Google is an example of a legitimate bot used to crawl the internet and index it for the company’s search engine.

Malicious bots include those that automatically scan websites for software vulnerabilities. Thus, it’s important to keep all software up to date due to these malicious bots. One type of malicious bot is a spambot – a software application designed to amass a large list of usernames and passwords used for malicious activities as such credential stuffing attacks.

Here are some mitigating measures against spambots:

  • Add CAPTCHA on sign-up.
  • Whitelist specific bots that are allowed to access your organization’s website.
  • Use a JavaScript alert to notify your organization in case of unusual bot traffic.
  • Use a bot management solution to scrutinize every visitor on your organization’s site and determine whether it’s human or a bot. This ensures that human users as well as legitimate bots can have uninterrupted access to your organization’s website.

While attacks are getting more and more sophisticated, it never too late to identify and address your weaknesses. We can help your organization prevent or mitigate the risks cyberattacks, fast and on-budget. Call today for a free consultation and to schedule your assessment (416) 920-3000 or email us at

Leave a Reply

Your email address will not be published. Required fields are marked *