Statement on GCKey Credential Service and recent credential stuffing attacks

The Canadian Centre for Cyber Security (Cyber Centre) is aware of a recent cyber security incident affecting the GCKey credential service and Canada Revenue Agency (CRA) accounts.

Although the Cyber Centre does not generally comment on, or confirm details about specific cyber security incidents, we feel it is important to confirm the Cyber Centre is working with its partners at the Treasury Board Secretariat of Canada (TBS) Chief Information Office (CIO), and Shared Services Canada to ensure the Government of Canada has robust systems and tools in place to monitor, detect, and investigate potential threats, and to neutralize threats when they occur.

The Government of Canada’s Chief Information Officer (CIO) released a statement today on this incident, which provides details on the credential stuffing attack on the GCKey service and the business impact to the Government of Canada.

The investigation into this incident is ongoing, but it is important to note that the GCKey service itself was not compromised.

In this case, a credential stuffing attack occurred because malicious actors obtained valid credentials (usernames and passwords) from unrelated data breaches. These valid credentials were fed to automated exploitation software targeting the vendor who provides the GCKey service. 

 The Cyber Centre strongly recommends that any Canadians who have been affected by this incident update their passwords immediately and avoid reuse. This will help ensure that other accounts outside of the Government of Canada are not vulnerable to the same kind of credential stuffing attack. 

 Canadians can stay informed by visiting getcybersafe.gc.ca or cyber.gc.ca for more on how to stay cyber secure. In particular, Canadians can protect themselves from a wide range of cyber threats by taking a few key actions:

  1. Patch and accept updates to your software and devices.
  2. Practice good password etiquette. Use strong and unique passphrases or passwords.
  3. Use multi-factor authentication.
  4. Be on guard for phishing (and spear-phishing) messages; and
  5. Store your data securely and know your back-up procedures.
Date modified: