The federal government says email addresses and phone numbers linked to user accounts at the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and the Canada Border Services Agency (CBSA) were accessed during a recent cyberattack.
According to the Treasury Board of Canada Secretariat, the government was alerted to the incident on August 17 by 2Keys Corporation, which provides the multi-factor authentication (MFA) service used to log into these accounts.
Officials say a routine software update created a temporary vulnerability between August 3 and August 15, allowing a malicious actor to gain access to:
- Phone numbers linked to CRA and ESDC accounts
- Email addresses associated with CBSA accounts
The government confirmed some affected phone numbers later received spam text messages containing links to fraudulent websites designed to mimic official Government of Canada pages.
Treasury Board says the MFA service has since been restored, and there is currently no evidence that additional personal or sensitive data was compromised.
The investigation, led by 2Keys and supported by external cybersecurity experts, is ongoing.
The incident highlights the growing cybersecurity risks facing government systems. Officials say protective measures have been reinforced to prevent future vulnerabilities and are urging Canadians to remain cautious about suspicious messages claiming to come from government agencies.