In mid-August 2020, the Canada Revenue Agency suspended its online services due to cybersecurity attacks. Cyber criminals were able to obtain thousands of GC Key account credentials.
How did this happen? Through credential stuffing.
Credential stuffing is a cyber attack that relies on people re-using their passwords.For example, if you use the same password for a social media site as you do for your bank account, anybody that is able to hack the social media site would now have your banking password as well. Sites with poor security are breached on a regular basis, and thieves sell the credentials they obtain through these breaches on the dark net or underground forums.In the case of the CRA attack, cyber criminals used thousands of previously gathered email/password combinations to see if they worked with the CRA site. Almost 9,000 people had used the same password, allowing cyber criminals to login as them, or to sell the credentials to other criminals. The passwords were not stolen from CRA, but the criminals were able to verify that the previously stolen credentials also worked for the CRA site.
A similar credential stuffing recently resulted in thousands of Zoom account credentials being illegally obtained.
This is a valuable lesson for us all - we can no longer feel as though 'we are too small', 'no one would hack into my account', or 'that only happens to big cities'. This type of attack is a quantity over quality type attack. Attacks like this are relatively simple for a moderately skilled hacker to complete, and the goal is to hit as many victims as possible - no matter how big or small.
What can you do to protect yourself?Two important steps you can take that would prevent you from being a victim of credential stuffing attack such as this:
- Use a different password for each site that you connect to. Your passwords should be complex, not trivial ones such as 'qwerty1234' or 'secret' or your name or favourite food. A password management service would make this step easy.
- Use 2-factor authentication wherever it's available. Hardware tokens such as the Yubikey or text message verification can be used to prevent hackers from using your credentials.
This importance of password management cannot be understated.