National Post (National Edition)
CRA suspends accounts over dark web activity
100,000-plus passwords said to be displayed
OTTAWA • The Canada Revenue Agency had to suspend the accounts of more than 100,000 users of its online service because it detected troves of leaked login information on the dark web that could have led to data breaches.
If you received an unexpected and cryptic email on Feb. 16 from CRA warning you that your email had been deleted from the agency's web platform, MyCRA, do not worry: your account has not been breached.
In fact, the agency says it means that their new early cybersecurity issue detection system is working (though the communication strategy will be reviewed and it “regrets the inconvenience.”)
But that also means your login data has probably been compromised through a third-party breach and you will need to contact CRA in order to regain access to your online account, particularly if you plan on filing your 2020 taxes online starting next week.
“To be clear, these accounts were not impacted by a cyber attack at the CRA. These accounts have not been compromised and the action taken to lock the accounts was a preventative measure,” agency spokesperson Christopher Doody said in an emailed statement.
Steps on how to regain access to their online account will be sent to affected taxpayers by mail, he added.
The Feb. 16 email — an unusual form of communication in itself as the agency generally promises never to email taxpayers directly, preferring to send communications through MyCRA — came after the CRA suspended over 100,000 taxpayers' accounts after detecting that their credentials were likely for sale on unsavoury online marketplaces.
“In this particular case, an internal analysis revealed evidence that some account credentials (i.e. user IDs and passwords) may have been compromised, and may be available for use by unauthorized individuals,” Doody wrote.
The agency assures that the data was not stolen from their servers, but instead through one of the many small-to-massive data breaches that have plagued an increasing number of organizations over the years (Equifax and Desjardins are just recent examples).
Some of that stolen login data was then put up for sale on the dark web, which is a hidden part of the Internet only accessible through tailored software.
When those credentials were cross-referenced with internal MyCRA login data, the agency noted over 100,000 accounts that used the same combination of email and password.
That meant that anyone who purchased the stolen data might have been able to access the taxpayers' sensitive MyCRA account.
“As a precautionary security measure and to prevent unauthorized access to these accounts, we took swift action to lock the accounts and are in the process of contacting the legitimate account holders to unlock their accounts,” the agency said.
“We will work with impacted individuals to re-establish their credentials and unlock their accounts. There is no urgent need for taxpayers to contact us imminently unless they are an emergency benefit applicant and have active applications in our system.”
But the cryptic email sent out by the agency on Tuesday, which simply told the recipient that their email address had been removed from their Canada Revenue Agency account with no further explanation, created significant concern among Canadians.
Many were afraid that the issue was linked to significant cyber incidents and suspicious activity involving 48,500 MyCRA accounts last summer, though Doody assures that is not the case.
Those incidents forced CRA to suspend tens of thousands of taxpayers' online accounts as well as suspend certain online services such as address changes until further notice.
Unable to reach the agency via its call centre, many Canadians turned to social media to get an explanation from the CRA.
“I just received an email that my email address has been removed from CRA. I don't know why and didn't initiate myself. I tried logging into the CRA website and as soon as I log in I get an error message. What's going on?,” Twitter user Chris Lotts asked the agency.
Another user, Dennis Saunders from Halifax, was particularly concerned after receiving the cryptic email from CRA.
“Help me please you are freaking me out why am I locked out you removed my email Whats is going I am scared to death help me,” Saunders tweeted to the CRA.
SOME ACCOUNT INFORMATION MIGHT HAVE BEEN COMPROMISED.