Canadian government services have been targeted in credential-stuffing attacks and about 15,000 accounts have been compromised, including those used to provide COVID-19 relief benefits.

Those behind the attacks compromised 5,500 Canada Revenue Agency accounts, a service portal that enables Canadians to view and manage tax and benefits information along with more than 9,000 GCKey accounts, a portal used by federal departments to provide access to information on government services.

Credential-stuffing is a process that uses account login details stolen in other hacks in an attempt to gain access on the presumption that many people reuse the same email and password across multiple sites.

The attack is said to have been detected early on and bought under control, but the CRA’s online services have been suspended and are not expected to be up and running until at least Wednesday.

“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” the Canadian government said in a statement.

“This attack on the Canadian government is actually relatively small, with 300,000 attempts recorded,” Edward Roberts, director of product marketing at cybersecurity software company Imperva Inc., told SiliconANGLE. “Comparatively, our threat research team recently identified the largest account takeover attack on a single login to date, with 44 million ATO attempts recorded over the course of 60 hours.”

The most effective way to prevent bots running credential-stuffing attacks is to prevent any form of automated threat from being able to access the site by deploying a bot mitigation solution, Roberts explained. “Additionally, protections such as multifactor authentication, CAPTCHA and device fingerprinting are effective in preventing credential stuffing attacks,” he said.

Mounir Hahad, head of Juniper Threat Labs at networking and cybersecurity firm Juniper Networks Inc., said reuse of credentials is a big issue, prompting experts to propose getting rid of passwords altogether.

“But we’re not there yet, so I’m glad the government of Canada was able to spot the brute force attempt quickly,” Hadad said. “Can you imagine if this was perpetrated slowly over months instead or hours? It is possible that the attack would go undetected.”

Saryu Nayyar, chief executive officer of security and risk analytics firm Gurucul Solutions Pvt Ltd A.G., said the lesson is that passwords should never be reused on a site that houses important information. “Unique, strong, passwords are the order of the day and should be backed with multifactor authentication,” she said. “User education and good password hygiene helps mitigate attacks like this, but they will happen, which means organizations will still need to bolster their internal defenses.”

Photo: Xtabi/Wikimedia Commons