The Government of Canada disclosed a significant supply chain breach affecting approximately 880,000 federal account holders. The compromise originated at 2Keys Corporation, a third-party provider of multi-factor authentication (MFA) services for several major federal agencies. The breach, which occurred between August 3 and August 15, 2025 and was discovered on August 17, exposed phone numbers and email addresses used for MFA verification across the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and the Canada Border Services Agency (CBSA).
What Happened
A routine software update deployed to 2Keys Corporation's MFA infrastructure inadvertently introduced a vulnerability that allowed an unauthorized actor to access the authentication contact database. The attacker exploited this vulnerability between August 3 and August 15, 2025, exfiltrating phone numbers and email addresses used to deliver one-time passcodes to federal account holders.
2Keys Corporation's security team discovered the breach on August 17, 2025 during a post-deployment review. The vulnerability was immediately patched, and the compromised systems were isolated and restored from verified clean backups.
The Supply Chain Vector
This breach is a textbook example of supply chain risk in government IT. Rather than attacking the Government of Canada's own hardened infrastructure directly, the threat actor targeted a third-party vendor whose systems were trusted by multiple federal agencies. The vulnerability was introduced through a legitimate software update process, making it particularly difficult to detect through standard perimeter defenses.
The incident highlights how a single vendor compromise can cascade across multiple government departments simultaneously, amplifying the blast radius far beyond what a direct attack on any single agency might achieve.
Scope of the Exposure
The stolen data included:
- Approximately 880,000 phone numbers used for SMS-based MFA verification
- Approximately 85,000 email addresses used for email-based MFA verification
- Association of these contact details with CRA, ESDC, and CBSA account identifiers
The Government of Canada has confirmed that no additional personally identifiable information (PII) was compromised in the breach. SINs, tax records, benefit payment details, and other sensitive data held by these agencies were not accessed. However, the stolen contact data was quickly weaponized in phishing campaigns.
Within days of the breach, affected individuals reported receiving SMS phishing messages that closely mimicked Government of Canada communications, directing recipients to convincing replicas of CRA and ESDC login portals designed to harvest credentials.
Government Response
The Government of Canada and 2Keys Corporation have taken the following steps:
- 2Keys Corporation patched the vulnerability and restored systems from clean backups
- The Treasury Board of Canada Secretariat issued an advisory to all affected individuals
- CRA, ESDC, and CBSA implemented enhanced monitoring for suspicious login activity
- A comprehensive audit of all third-party authentication providers is underway
- The Canadian Centre for Cyber Security (CCCS) published indicators of compromise related to the phishing campaign
Protecting Yourself
If you hold a CRA, ESDC, or CBSA online account, CyberSafe recommends the following precautions:
- Be extremely cautious of any SMS or email claiming to be from the Government of Canada, especially those requesting you to click a link or verify your identity
- Always access government services by typing the official URL directly into your browser rather than clicking links in messages
- Change your password on all affected government accounts
- Consider switching your MFA method from SMS to an authenticator app where available
- Report any suspicious messages to the Canadian Anti-Fraud Centre and the CCCS
Third-Party Risk Management Lessons
This incident serves as a stark reminder that an organization's security posture is only as strong as its weakest vendor. Government agencies and enterprises alike must implement rigorous third-party risk management programs that include continuous security assessments of vendors, contractual security requirements, and real-time monitoring of vendor-operated systems.