The Canada Revenue Agency experienced a significant credential stuffing attack in March 2024 during the busiest tax filing period of the year. Threat actors conducted a large-scale automated attack attempting to gain unauthorised access to thousands of CRA MyAccount accounts using credentials obtained from previous data breaches at other organisations. The attack underscored the vulnerability of government portals to credential reuse attacks and the critical importance of multi-factor authentication.
What Happened
In mid-March 2024, the CRA detected unusual login activity on its MyAccount portal. Investigation revealed that threat actors were conducting automated credential stuffing attacks, using lists of previously compromised username and password combinations from unrelated data breaches. The attackers used specialised tools to rapidly test credentials against the CRA portal, attempting to identify valid accounts where users had reused passwords across multiple services.
The attack utilised credential databases obtained from previous breaches at retailers, social media platforms, and other organisations. Threat actors recognised that many Canadians reuse passwords across personal and government accounts, making credential stuffing a viable attack strategy for gaining access to tax records and personal financial information stored in CRA systems.
Scope and Impact
The credential stuffing campaign targeted an estimated 30,000 CRA MyAccount accounts. The CRA reported that approximately 2,600 accounts were successfully compromised, allowing threat actors to access taxpayer personal information, filing history, and potentially modify account settings. The breached accounts gave threat actors access to:
- Personal tax records and filing history
- Social Insurance Numbers and personal identification information
- Residential address and contact information
- Benefit payment information and banking details
- Spouse and dependent information
The timing of the attack during tax season was significant, as Canadians were actively accessing CRA accounts to file returns and review tax information. Compromised accounts gave threat actors access to individuals' most sensitive financial and personal data during a period when account activity was high and potentially less likely to trigger suspicion.
Threat Actor Activity
Investigation revealed that threat actors accessed compromised accounts to view and potentially modify personal information. Some evidence suggested that threat actors had attempted to change account recovery information and linked email addresses, actions consistent with preparing accounts for long-term fraudulent use. The CRA detected these modification attempts and prevented most from succeeding, but some account details were altered before detection occurred.
CRA's Response
The CRA implemented rapid response measures to contain the incident:
- Immediately detected and blocked the credential stuffing attack using advanced security monitoring
- Forcibly logged out all active MyAccount sessions and required password resets for affected users
- Notified affected taxpayers directly about the compromise and recommended protective actions
- Strengthened multi-factor authentication requirements for all MyAccount users
- Implemented enhanced rate limiting to prevent future credential stuffing attempts
- Collaborated with law enforcement agencies to investigate threat actors
- Offered complimentary credit monitoring to affected individuals
Lessons Learned
The CRA credential stuffing attack demonstrates several critical lessons for government organisations and citizens. First, credential reuse remains one of the most prevalent security risks. Canadians who use the same password across multiple services remain vulnerable to credential stuffing attacks when any one service suffers a breach.
Second, the attack illustrates the necessity of mandatory multi-factor authentication for accounts containing sensitive personal and financial information. Whilst password-based authentication remained vulnerable, multi-factor authentication would have prevented most credential stuffing attacks from succeeding, as threat actors would need to compromise the second authentication factor.
Third, the timing of the attack during tax season highlights how threat actors target organisations during peak usage periods when account activity increases and suspicious behaviour may be more difficult to detect amongst legitimate traffic.
How CyberSafe Can Help
CyberSafe's Credential Security Services help organisations implement defence mechanisms against credential stuffing attacks, including rate limiting, CAPTCHA challenges, and behavioural analysis. Our Managed Security Services provide continuous monitoring to detect suspicious account access patterns and unusual login activity. We also offer Security Awareness Training that educates users about the importance of unique passwords and multi-factor authentication.