author photo
By Clare O’Gara
Mon | Aug 17, 2020 | 10:12 AM PDT

Another day, another cyberattack that preys on those affected most by COVID-19.

From spoofing coronavirus relief to outright stealing from unemployment systems, cybercriminals have targeted vulnerable parties seeking aid from the beginning of the pandemic.

These attacks are so prevalent that SecureWorld has a list of the top five ways cybercriminals are using COVID-19 against us.

The latest victim, though, is also larger than ever.

It's the Canada Revenue Agency (CRA), and the aftershock of its hack is already expanding far beyond the thousands of accounts hackers breached.

How did cybercriminals hack the Canada Revenue Agency?

Two words: credential stuffing.

In an announcement, the Canadian government provided that as an explanation for recent attacks mounted on the country's GCKey service and CRA accounts.

Here's what GCKey is:

"Used by approximately 30 federal departments, GCKey allows Canadians to access services like Employment and Social Development Canada's My Service Canada Account or their Immigration, Refugees and Citizenship Canada account."

There are approximately 12 million GCKey accounts in Canada. During the cyberattack, the usernames and passwords of only 9,041 were stolen in an attempt to access government services. From there, 5,500 accounts were actually breached.

Initially, those numbers seem pretty low: according to this data, the attack breached less than 1% of users.

But even a small number of hacked accounts is incredibly volatile and can do some serious damage to the overall organization under attack. And that's exactly what's happening at CRA.

In an effort to limit compromised accounts, the agency shut down its online services completely.

Now, anyone attempting to apply for emergency COVID-19 benefits, such as the Canada Emergency Response Benefit or the Canada Emergency Student Benefit, is unable to do so. 

The hackers took advantage of reused passwords of a few thousand accounts, and they managed to take down the entire system with them.

It's another reminder of what makes the individual so important when it comes to the cybersecurity of your organization.