Credential stuffing attacks leverage publically accessible lists of previously compromised usernames and passwords, to try and hack into various other online services and accounts using the same login combinations.

For example, perhaps one has an account with an online file sharing application, and that file sharing site gets hacked leaking the login usernames and passwords onto the public Internet.  As many people use email addresses for usernames, and same or similar passwords across many online services, bad actors have a lot of information to use in trying to further compromise one’s other accounts.

The bad guys may also have an active email account (leaked username) to try accessing, which if using the same password as the one in credential leak could spell big trouble particularly if that email address was also used to sign up for online services such such as banking and government apps.  If the hackers gain access to the email account which was used to communicate with other online sites, there is a high probability that they will be able to reset passwords for those other services, possibly locking you out and stealing more information (all messages/folders contained in an email account)

‘;–have i been pwned? is an online cybersecurity resource which allows one to check their email addresses against a large database of known compromises, the idea being that if you find one of your email addresses (used as username in leaked hack), you can change your passwords, or better yet create a new email address and password combination. (not always feasible or easy).  Bear in mind that the site only contains known hacks, and not finding an email address is no guarantee of integrity of any particular address.

If you haven’t changed passwords for awhile, consider doing it now.  Also, you may want to check into a password manager such as open source option, KeePassXC.

Excerpt from IT World Canada article regarding recent credential stuffing attack aimed at CRA…

The Government of Canada says thousands of GCKey service and Canada Revenue Agency income and business tax accounts have been slammed with multiple credential stuffing attacks.

Used by roughly 30 federal departments, GCKey lets Canadians access services like Employment and Social Development Canada’s My Service Canada Account or their Immigration, Refugees and Citizenship Canada account. The Treasury Board of Canada Secretariat says that of the approximately 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were obtained fraudulently and used to try and access government services. A third of those hacked accounts accessed government services and are being “further examined for suspicious activity.”

The bad news continues. Approximately 5,500 CRA accounts were targeted as part of the GCKey attack and another recent “credential stuffing” attack aimed at the CRA, according to an Aug. 15 press release.

“Access to all affected accounts has been disabled to maintain the safety and security of taxpayers’ information, and the Agency is contacting all affected individuals and will work with them to restore access to their CRA MyAccount,” it reads.

Alex Coop via IT World Canada

Read the rest of article including CRA’s mitigation measures over at IT World Canada…