The CRA Hack: What Happened, Whom Was Affected, & How To Protect Yourself
Patreon Account : https://www.patreon.com/SimpleMoneyPodcast
Today we’re going to look at the recent the CRA hack, how it occurred, what will happen to those people that were hacked, and what we can all do to prevent a similar issue from affecting us in the future.
The stories told by those that were hacked follow a similar design. First they would receive an email notification stating that their CRA email or that their direct deposit info was changed. Those that were hacked would then typically contact the CRA or ignore it completely thinking that it was just a phishing email. In many cases, those that contacted the CRA very often told that it was an isolated instance and they had nothing to worry about.
Unfortunately, that was not the truth and the CRA even publicly stated that they didn’t immediately notify affected individuals while they were investigating behind the scenes.
What happened next was the main goal of the hack – to apply for the Canada Emergency Response Benefit more commonly known as CERB and have it paid out to accounts not connected to the individual. It’s also assumed that the receiving bank accounts were likely fraudulently opened or were opened by individuals who were convinced to open accounts for another party.
My first suspicions that something odd was happening kicked in a few weeks ago when I started to hear about Canadians tell me that their CRA accounts were accessed and CERB was applied for by someone else. The response to this by the CRA was to freeze their accounts and investigate – a process that seems to take nearly a whole month plus. At this point there was no official announcement by the CRA.
That changed just over the past weekend when the CRA publicly announced that there were multiple hacks and they shut down their affected web portals. As of writing this, CRA MyAccount and GCKeys are still shut down.
How The CRA Hack Happened
So the first question that everyone has is how did this hack occur to a system that was believed to be so secure?
The answer to this is that a type of attack called Credential Stuffing occurred. The basic way that this hack works is that a database of existing usernames and passwords are entered into the attacked website in the hopes that the user used the same login info. If it works, they have access. This type of hack relies on people reusing passwords and not changing them.
The source of these databases are typically acquired from a past hack or phishing campaigns. One example that shows how massive these can be is a database file called “Collection 1-5”. This gigantic database has 2.2 billion unique usernames and password that were collected from past hacks. The most frightening part about this database is that it’s available for free in a simple text document online.
Other such databases are sold on the darkweb and can include more recent hacks. These databases usually sell for about 10 to 20k USD worth in bitcoin.
Once a hacker has a database then then need to figure out how to enter the data on the site. To do this, they use malicious software that uses proxies to make it look like the request is coming from different IPs, browser types, and other origin details. That way it’s not brought to the attention of the administrator of the attacked website that a concentrated attack from one origin is occurring. In many cases, websites may not even know that they were affected by this type of attack.
The majority of the attempts to use the user names and passwords from the database don’t work, but in some cases they do. Wired Magazine estimated that the chance of success is about .1 to .2%. So the larger the size of the database, the more successful the hack will be.
The CRA Hack
Unidentified hackers launched numerous attacks against CRA MyAccount and GCKeys. In total, the CRA estimates that about 11,200 accounts were affected. Using a success ratio of 0.1% this would mean that a database with approximately 11,200,000 login credentials were used.
The full depth of the harm caused is not fully known, but what we do know is that thousands of Canadians have had CERB payments claimed under their name and redirected to another individuals. In response the CRA accounts are frozen and they are unable to apply for CERB even if they need it.
In the aftermath of the attack, this hack will unfortunately hound the affected individuals for a very long-time. It’s uncertain what type of info was harvested from the CRA breach but likely includes SIN numbers, birthdates, addresses and other valuable information. This information can then be for future identity theft. Similarly, the log-in information used from the database can also be applied to other website in an attempt to access their services as well.
The CRA has stated that they will begin contacting affected individuals immediately through phone, email and mail. As always, there will be other rebound scammers that will pretend to be the CRA officials responding to this hack trying to get your information.
The CRA has said that it will then provide assistance and credit protection for those affected. It’s a little unclear what this will include but likely a credit watch service and possibly a basic insurance against identity theft damage.
While not stated by the CRA, those that are affected or believe that they may be affected should act right away. Change all passwords to unique ones for every service, add fraud alerts, notify all of the financial institutions that they use, and if you can, also put a port block on your phone. Also, be on the watch our for targeted phishing emails. As always, these protections are not guaranteed, but can put up additional barriers that can frustrate a scammer.
The root problem of this hacks is that it was caused by reusing the same passwords for multiple websites and not updating them. The first thing that someone can do is have unique passwords for every login and enable two-factor verification if available. Using an app for 2 factor verification and a password manager can further help protect your security.
Basically what we want to do here is put up as many barriers as possible.
Also always be on the look out for phishing scams and don’t open or click on any email links that you don’t trust. These phishing attempts can easily compromise your usernames and password. On top of that always make sure that you keep your operating system and software up to date.