Can’t Login to CRA My Account Online? Cyberattacks Hit 9,000 Accounts Says Ottawa

Mycra cyberattack

This weekend the Canada Revenue Agency (CRA) My Account online services were temporarily shut down, and currently remain unavailable to Canadians, as the result of numerous cyberattacks against federal online services.

The CRA My Account for Individuals online portal is still unavailable Monday morning, with a message that reads, “This service is not available at this time,” and “this service disruption is temporary. We regret the inconvenience.”

As reported by CBC News on the weekend, the federal government disclosed cyberattacks targeted the Canada Revenue Agency (CRA) website and GCKey, a secure online portal that allows access to government services.

According to Treasury Board of Canada Secretariat Marc Brouillard, he noted the attacks were based on “credential stuffing”, where fraudsters leverage leaked account username and password combinations to login, as many people reuse online passwords for various accounts.

“By using previously hacked usernames and passwords, the bad actors were able to fraudulently acquire approximately 9,000 of the roughly 12 million active [GCKey] accounts, a third of which accessed such services and are being further examined for suspicious activities,” Brouillard told CBC News.

The Government of Canada says they have “worked around the clock to reduce the threat to Canadians affected…the credential stuffing attack on GC has ceased.”

According to the CRA, three separate cyberattack incidents may have allowed fraudsters access to 5,600 CRA My Accounts.

Access to CRA online services such as My Account, My Business Account and Represent a Client were temporarily taken offline, and remain offline as of writing.

Ottawa says these online CRA services are set to come back online mid-week. Canadians affected by COVID-19 have been using CRA My Account online to apply for the Canadian Emergency Response Benefit (CERB), so downtime means individuals won’t be able to access the online claim forms.

The RCMP said it’s looking into the attacks, while Canada’s privacy commissioner is also “monitoring” the situation.