Hackers exploited a vulnerability in 2Keys’ multi-factor authentication (MFA) system, used by federal Canadian agencies (CRA, Service Canada, CBSA), to steal 881,000 phone numbers and 85,699 email addresses over a two-week period in August 2023. The stolen data was weaponized in a large-scale phishing campaign, where victims received fraudulent SMS messages mimicking government websites to harvest login credentials. While no additional sensitive data (e.g., financial or PII) was confirmed compromised, the breach enabled credential-theft attempts targeting government service portals. The incident originated from a software vulnerability during a routine update, discovered by 2Keys in mid-August. Authorities stated no fraudulent activity or account takeovers were detected post-breach, but the exposure of contact details at scale posed reputational risks and heightened fraud potential for affected Canadians. The delay in public disclosure (revealed in September) and the reliance on a third-party MFA provider underscored systemic vulnerabilities in government digital infrastructure.
TPRM report: https://www.rankiteo.com/company/2keyscorp
"id": "2ke0493604092525",
"linkid": "2keyscorp",
"type": "Vulnerability",
"date": "8/2023",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '966,699 (881,000 phone numbers '
'+ 85,699 email addresses)',
'industry': 'Public Sector',
'location': 'Canada',
'name': 'Government of Canada',
'type': 'Government'},
{'customers_affected': '881,000 (phone numbers)',
'industry': 'Taxation',
'location': 'Canada',
'name': 'Canada Revenue Agency (CRA)',
'type': 'Government Agency'},
{'customers_affected': '85,699 (email addresses)',
'industry': 'Border Security',
'location': 'Canada',
'name': 'Canada Border Services Agency (CBSA)',
'type': 'Government Agency'},
{'industry': 'Cybersecurity (MFA Solutions)',
'location': 'Canada',
'name': '2Keys (Interac)',
'type': 'Private Company'}],
'attack_vector': 'Exploitation of a vulnerability in MFA software during a '
'routine update',
'customer_advisories': ['Users advised to remain vigilant against phishing '
'attempts',
'No action required for affected individuals unless '
'they fell victim to phishing'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 966699,
'sensitivity_of_data': "Low (classified as 'non-material "
"privacy incident')",
'type_of_data_compromised': ['Contact Information (Phone '
'Numbers, Email Addresses)']},
'date_detected': '2023-08-15T00:00:00Z',
'date_publicly_disclosed': '2023-09-09T00:00:00Z',
'description': 'Hackers exploited a vulnerability in the multi-factor '
'authentication (MFA) software provided by 2Keys (owned by '
'Interac) to steal over 880,000 phone numbers and 85,000 email '
'addresses of Canadians accessing federal government web '
'services (CRA, Service Canada, and CBSA). The stolen data was '
'used to send fraudulent phishing messages to victims, '
'attempting to harvest credentials or financial information. '
'The breach occurred over a two-week period starting August 3, '
'2023, and was discovered in mid-August. No additional PII or '
'sensitive data was confirmed as compromised, and no '
'fraudulent activity was detected post-breach.',
'impact': {'brand_reputation_impact': 'Moderate (public disclosure of breach '
'affecting federal services)',
'data_compromised': ['Phone Numbers (881,000)',
'Email Addresses (85,699)'],
'identity_theft_risk': 'Low (only phone/email compromised, but '
'risk of credential theft via phishing)',
'operational_impact': 'Phishing campaign targeting 881,000+ '
'victims; potential credential harvesting',
'payment_information_risk': 'Low (no direct payment data exposed, '
'but phishing could lead to financial '
'fraud)',
'systems_affected': ['2Keys MFA System',
'CRA MyCRA Portal',
'CBSA Public-Facing Portals']},
'initial_access_broker': {'entry_point': 'Vulnerability in 2Keys MFA software '
'during routine update',
'high_value_targets': ['CRA MyCRA Portal Users',
'CBSA Account Holders'],
'reconnaissance_period': 'Unknown (exploitation '
'occurred over ~2 weeks '
'starting Aug. 3, 2023)'},
'investigation_status': 'Ongoing (no evidence of further compromise or '
'fraudulent activity as of Sept. 2023)',
'lessons_learned': ['Importance of timely patching and monitoring during '
'software updates',
'Need for robust MFA solutions to prevent credential '
'harvesting via phishing',
'Public awareness campaigns to educate users about '
'phishing risks'],
'motivation': ['Financial Gain', 'Credential Theft', 'Fraud'],
'post_incident_analysis': {'corrective_actions': ['2Keys investigation and '
'notification to government',
'Public disclosure and user '
'advisories'],
'root_causes': ['Unpatched vulnerability in MFA '
'system',
'Delayed detection of unusual '
'behavior (exploited for ~2 '
'weeks)']},
'recommendations': ['Enhance monitoring of MFA systems for unusual behavior',
'Implement additional layers of authentication for '
'high-risk portals',
'Conduct regular security audits of third-party vendors '
'(e.g., 2Keys)',
'Educate users on recognizing phishing attempts (e.g., '
'government agencies will not request sensitive info via '
'SMS)'],
'references': [{'date_accessed': '2023-09-20T00:00:00Z',
'source': 'National Post',
'url': 'https://nationalpost.com'}],
'response': {'communication_strategy': ['Public disclosure via Chief '
'Information Officer statement (Sept. '
'9)',
'Media responses by ESDC '
'spokesperson'],
'containment_measures': ['Preliminary investigation by 2Keys',
'Notification to Government of Canada',
'System access revoked for threat '
'actors (assumed)'],
'incident_response_plan_activated': True},
'stakeholder_advisories': ['Government of Canada CIO statement (Sept. 9, '
'2023)',
'ESDC spokesperson confirmation (Sept. 2023)'],
'threat_actor': 'Unknown',
'title': 'Data Breach Affecting Canadian Federal Government Web Services via '
'2Keys MFA Provider',
'type': ['Data Breach', 'Phishing Attack', 'Credential Harvesting'],
'vulnerability_exploited': 'Unspecified vulnerability in 2Keys MFA system '
'(Interac-owned)'}