Thousands of user accounts for online government services in Canada were recently hacked during cyberattacks, Canadian authorities have announced.

According to a statement, "The Government of Canada is taking action in response to “credential stuffing” attacks mounted on the GCKey service and CRA accounts. These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts."

Fausto Oliveira, Principal Security Architect at Acceptto, notes that, “Credential stuffing is a pervasive security issue caused by the complexity of today's authentication mechanisms that still rely on a password. Users today have access to hundreds, if not thousands, of services each requiring a password and as such credential re-use if often common.  Once a hacker has gained access to one of the services they can try to attack other services by re-using the password and gain access to further information for example by hacking the user's email, internet provider accounts, etc."

Oliveira adds, "The good news is that these are preventable types of attack. Organizations need to offer Multi-Factor Authentication, combined with Continuous Behavioral Authentication. We’ve been educating the market about this for quite some time, but unfortunately, the lesson still hasn't permeated. Without proper protection, your organization is at risk and so are your customers. The only ones that benefit from inaction are the criminals.”

The Government of Canada, like every other government and private sector organization in the world, deals with ongoing and persistent cyber risks and threats, says the statement, which is "why the government has robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible."

Joseph Carson, Advisory CISO at Thycotic, says, "An important lesson that must be learned is that we should never reuse passwords.  Companies who offer authentication and login to their website must also move away from having a password as the only security control. 2FA must be enabled for all customers as this reduces the risks of customers who reuse passwords from become a victim of a cybercrime or credential stuffing from being successful.  Additionally, endorse Password Managers to help customers make better password hygiene and decisions when creating new accounts and passwords."

According to Tim Wade, Technical Director, CTO Team at Vectra, as an entry point, stolen credentials offer the most effective path for both post exploitation lateral movement or attacking non-MFA protected cloud services.  "As a result of a breach, credentials may be harvested as part of a breach and subsequently monetized," says Wade."The risks around credential theft are compounded by the relatively common practice of credential reuse, where a breach in one platform may affect another unrelated platform due to users reusing their credentials.”