'Credential stuffing' attacks wreak havoc on government accounts in Canada

Aug. 18, 2020
Cybersecurity experts say lax security practices are to blame

The Canadian government on Saturday announced that it was working to address a cyberattack that targeted accounts used by citizens to access wide range of government services.

According to a statement issued by the Office of the Chief Information Officer for the country, the attack impacted more than 9,000 GCKey accounts, which Canadians use for things such as employment insurance, as well as approximately 5,500 Canadian Revenue Agency (CRA) accounts. The government said the fraudster were able to access services from a third of the GCKey accounts that were fraudulently obtained which are now being further examined for suspicious activity. 

Specifically, the attackers in the incident used a method known as “credential stuffing,” which involves taking the usernames and passwords harvested from past data breaches to compromise accounts where users have leveraged the same credentials.

“Credential stuffing attacks are desirable because there is minimal effort needed from an adversary. An attacker simply has to access readily available public breach information – which is likely the case here –and use that information to check against other accounts. With how easy it is to gain this information combined with the scale in which it can be performed shows why this attach vector is so desirable,” Eric Groce, Incident Response Manager for Red Canary, explains. “To avoid this type of attack, end users and organizations should never reuse old passwords and always use multi-factor authentication when available. Even better, you can use a password manager to keep track of all passwords.”

Chris Hauk, Consumer Privacy Champion at Pixel Privacy, says the attack demonstrates the need for users to vary their passwords across sites.

“Credential stuffing attacks like this one underscore the need for unique passwords for every site,” Hauk said. “The 11,000 accounts that were compromised were accessed only because the account holder used the same password on both the Canadian government site and another, previously compromised site.”

Casey Kraus, President of Senserva, puts on the onus on users to mitigate these types of attacks.

“With the migration to the cloud, security starts with the user,” Kraus adds.  “There has been an increase in attacks, and likely will be continued attacks that are made by bad actors that target user accounts. Working to enforce policies like multi-factor authentication, privileged identity management, and automatic password changes can help to keep user accounts safe. Focusing on what a user has access to and how they access their account is the first step in preventing a breach in today's tech age.”

Paul Bischoff, Privacy Advocate at Comparitech, said that the incident also highlights the need for two-factor authentication.

“The CRA online portal allows taxpayers in Canada to access a lot of very sensitive information, so it's surprising that the agency doesn't enforce the use of two-factor authentication,” Bischoff said. “Two-factor authentication, which requires users to input a one-time when they log in alongside their username and password, is the best defense against credential stuffing. It will lock out any user without the code if they try to log in from a new or unfamiliar device. I wouldn't be surprised if the CRA adds 2FA to its login process in response to this incident.”