OTTAWA — Hackers used more than 9,000 stolen usernames and passwords to apply for government services, and also targeted about 5,500 Canada Revenue Agency accounts, the federal government said in an announcement.
The RCMP is investigating whether the hack led to any privacy breaches or stolen information from the accounts, which have been disabled, the Treasury Board of Canada Secretariat said on Saturday.
The 9,000 hijacked accounts have been cancelled, and the approximately 3,000 accounts that were successful in getting government services are being investigated.
The 5,500 CRA accounts that were separately targeted have been disabled, and owners are being contacted, said the government.
The cyberattacks used a technique called credential stuffing to target a system used by 12 million users and about 30 federal departments, including immigration accounts.
The attackers used passwords and usernames collected from previous hacks of accounts worldwide, and “took advantage of the fact that many people reuse passwords and usernames across multiple accounts,” the government said.