Microsoft Edge Gets New Copilot AI Features
Microsoft Edge has launched a major AI update, introducing new Copilot features like multi-tab reasoning, AI podcasts, and interactive study tools.
Feds Scramble After Interac’s 2Keys Hack Exposes Canadians to Phishing
Almost one million Canadians had their contact information stolen in a cyberattack on the federal government’s authentication system, later used in a massive phishing campaign.
According to Employment and Social Development Canada (ESDC), hackers accessed about 881,000 phone numbers tied to the Canada Revenue Agency’s MyCRA service, as well as more than 85,000 email addresses connected to Canada Border Services Agency accounts.
The breach was first revealed in early September by the Chief Information Officer, who described it as a “data security incident” involving the government’s multi-factor authentication provider. At the time, officials stressed that only email addresses and phone numbers were taken, calling it a “non-material privacy incident.”
But the scale of the theft was not disclosed until now. Criminals used the stolen data to send hundreds of thousands of text messages, many containing links to a fake Government of Canada website. Clicking those links could trick victims into handing over login details for real federal portals.
“The (malicious) actor sent spam text messages containing a link to a fraudulent phishing website designed to look like a Government of Canada website to some of these phone numbers,” the CIO’s office said.
So far, Ottawa says there’s no evidence of compromised accounts. “The data accessed did not include any additional personal identifiable information or sensitive personal data,” said ESDC spokesperson Mila Roy to the National Post. “This information alone does not allow the unauthorized individual(s) to access Government of Canada accounts or other personal information.”
The feds confirmed that hackers exploited a flaw introduced during a routine software update by Interac-owned 2Keys, its multi-factor authentication provider, between August 3 and 15, 2025. The vulnerability allowed attackers to steal nearly 881,000 phone numbers tied to CRA and ESDC accounts and more than 85,000 email addresses linked to CBSA accounts. Interac is jointly owned by the country’s biggest banks and credit unions, with the biggest shareholders being RBC, TD, Scotiabank, BMO, and CIBC.
Criminals then used that data to send phishing texts directing people to a fake Government of Canada website designed to steal login credentials. Interac said it detected “unusual behaviour,” informed Ottawa within two days, and patched the system. Officials insist no other sensitive personal information was exposed, calling the incident a “non-material privacy incident,” though the stolen data was actively weaponized in a spam campaign.
Within two days 2Keys informed Ottawa of unauthorized access, said Interac spokesperson Cillian Murphy to the National Post, noting the company “promptly informed the government and launched an investigation.”
Did you receive any spam texts claiming to be from the federal government in the past month?
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Other articles in the category: News
Signal to Ottawa: We’ll Leave Canada Before We Help You Spy on Users
Signal is drawing a hard line on the federal government's proposed surveillance legislation: comply with Bill C-22 or leave the country. The secure messaging app says it would rather ditch the Canadian market than be forced to weaken the privacy protections it has built its reputation on. In an interview with The Globe and Mail,...
VGLX Returns in October With Two-Day Event in Mississauga, Ontario
VGLX 2026 will be home to the Electric Clash tournament for the Tekken World Tour 2026 this October.
Not to mention they would need the CRA PassCode Grid to access the account, even with the correct password.
This is a reply to the person who said they still need your CRA passcode grid. They don’t.
2FA is not the holy grail of security. It’s only effective for people that wouldn’t give up their password in the first place.
It only slows hackers down. What they do is this:
They send you to a fake site. Doesn’t matter if it’s your bank, CRA, Microsoft or your work account
First they ask you to enter your password. They enter that password on the real site
The real site asks them to enter your 2FA code. They say send me the code
The fake site asks you to enter the code that you just received, you enter it into the fake site and they take that code enter it into the real site plus they check the box that says “this is a trusted computer”
I don’t know exactly what the answer is but it would be helpful if banks, the CRA and anywhere else you have to login would stop sending out emails with links to their sites. Banks say they don’t do it but they send out marketing emails all the time with links to their website not asking you to login but it does train people to click on links that go directly to their sites. They need to train people to never login to ANYTHING from an email and ALL companies need to do this. If they need to communicate with you they should just say go to our site and login. With NO links
Education is the real answer. 2FA is great but only for some people. Everytime people login anywhere they need to ask themselves, how did I get here and if the answer is from a link or a phone call then shut it down. This needs to be drilled into their heads by the sites that need a password
Unfortunately most sites that claim to offer 2FA don’t actually offer 2FA. They only offer single factor authentication, while falsely calling it 2FA. Namely, SMS based OTP codes. They allow you to reset the password using just these OTP codes. So the pw is essentially just a joke. The only single factor that matters is SMS based OTP which is ridiculous and terribly insecure, as we have all seen in the media.
Sounds like you're talking about RFD.
Almost every site imaginable, other than Apple and a handful of others, operate that way. Even many banks.
Until some financial institutions and Amazon stop sending links via SMS nothing is going to change unless it's mandated. Perhaps there needs to be [another[ class action lawsuit against Amazon and institutions that send links by SMS?
Wrong. CRA does not require the PassCode Grid for everyone. It’s just one of several MFA options. According to the CRA’s own help page, when you set up multi‑factor authentication you can choose:
1. A third‑party authenticator app
2. A phone number (text or voice call)
3. A PassCode Grid
You can pick one or more of these methods. That means plenty of Canadians log in with just their password plus a code sent to their phone or app — no Grid involved.
So the claim that “you’d always need the PassCode Grid” is simply wrong. It’s optional, not universal. That’s why the phishing risk from the 2Keys breach was real: for anyone without the Grid, a stolen password and one‑time code could be enough.
Never click on a link from a text msg. or an email. Go to website manually your self.