Hackers exploited a vulnerability in 2Keys' multi-factor authentication (MFA) software, used by federal government agencies like the Canada Revenue Agency (CRA), Service Canada, and Canada Border Services Agency (CBSA). The breach occurred over a two-week period starting August 3, 2023, during a routine software update. Attackers stole 881,000 phone numbers (CRA users) and 85,699 email addresses (CBSA account holders). While the stolen data was classified as 'low-risk' (no sensitive PII or financial data was exposed), criminals leveraged it to launch a large-scale phishing campaign, sending fraudulent SMS messages with links to spoofed government websites. The goal was to trick victims into surrendering login credentials, potentially granting access to sensitive accounts. Though no fraudulent activity or account compromises were detected post-breach, the incident exposed systemic risks in third-party authentication providers. The delay in public disclosure (detected mid-August, revealed September 9) and the sheer scale of affected users—nearly 1 million Canadians—highlighted vulnerabilities in critical government-facing infrastructure.
TPRM report: https://www.rankiteo.com/company/securityxx
"id": "sec3833838092525",
"linkid": "securityxx",
"type": "Vulnerability",
"date": "8/2023",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '966,699 (881,000 phone numbers '
'+ 85,699 email addresses)',
'industry': 'Public Administration',
'location': 'Canada',
'name': 'Government of Canada',
'type': 'Government'},
{'customers_affected': '881,000 (phone numbers)',
'industry': 'Taxation',
'location': 'Canada',
'name': 'Canada Revenue Agency (CRA)',
'type': 'Government Agency'},
{'customers_affected': '85,699 (email addresses)',
'industry': 'Border Security',
'location': 'Canada',
'name': 'Canada Border Services Agency (CBSA)',
'type': 'Government Agency'},
{'industry': 'Cybersecurity (MFA Solutions)',
'location': 'Canada',
'name': '2Keys (owned by Interac)',
'type': 'Private Company'}],
'attack_vector': 'Exploitation of a vulnerability in MFA software during a '
'routine update',
'customer_advisories': ['Users advised to monitor for phishing attempts',
'No password resets required as no credentials were '
'confirmed stolen'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 966699,
'sensitivity_of_data': "Low (classified as 'non-material "
"privacy incident')",
'type_of_data_compromised': ['Contact Information (Phone '
'Numbers, Email Addresses)']},
'date_detected': '2023-08-15T00:00:00Z',
'date_publicly_disclosed': '2023-09-09T00:00:00Z',
'description': 'Hackers exploited a vulnerability in the government’s '
'multi-factor authentication (MFA) software provider, 2Keys '
'(owned by Interac), to steal over 880,000 phone numbers and '
'85,000 email addresses used to access federal government web '
'services (CRA, Service Canada, and CBSA portals). The stolen '
'data was used to send fraudulent phishing messages to '
'victims, attempting to harvest credentials or financial '
'information. The breach occurred over a two-week period '
'starting August 3, 2023, and was discovered in mid-August. No '
'additional PII or sensitive data was confirmed compromised, '
'and no fraudulent activity or account takeovers were detected '
'post-breach.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in '
'government digital services and '
'2Keys/Interac',
'data_compromised': ['Phone Numbers (881,000)',
'Email Addresses (85,699)'],
'identity_theft_risk': 'Low (only phone numbers/emails '
'compromised, but used for phishing)',
'operational_impact': 'Phishing campaign targeting victims; '
'heightened vigilance required for '
'government service users',
'payment_information_risk': 'Indirect (via phishing attempts to '
'harvest credentials)',
'systems_affected': ['2Keys MFA System',
'CRA MyCRA Portal',
'CBSA Public-Facing Portal']},
'initial_access_broker': {'entry_point': 'Vulnerability in 2Keys MFA software '
'during routine update',
'high_value_targets': ['CRA MyCRA Portal Users',
'CBSA Account Holders']},
'investigation_status': 'Preliminary investigation completed; no evidence of '
'further compromise or fraudulent activity',
'lessons_learned': ['Importance of timely patching and monitoring during '
'software updates',
'Need for robust MFA security to prevent exploitation of '
'authentication systems',
'Vigilance against phishing campaigns leveraging stolen '
'contact data',
'Transparency in disclosing breach scope (initial '
'disclosure lacked specifics on affected records)'],
'motivation': ['Financial Gain', 'Credential Theft', 'Fraud'],
'post_incident_analysis': {'corrective_actions': ['Termination of '
'unauthorized access',
"Investigation into 2Keys' "
'security practices',
"Review of government's "
'third-party vendor risk '
'management'],
'root_causes': ['Software vulnerability in MFA '
'system',
'Delayed detection of unusual '
'behavior (two-week exploitation '
'window)']},
'recommendations': ['Enhance MFA security protocols (e.g., behavioral '
'analysis, hardware tokens)',
'Implement real-time anomaly detection for authentication '
'systems',
'Conduct regular third-party audits of MFA providers',
'Educate users on recognizing phishing attempts (e.g., '
'government agencies never request sensitive info via '
'SMS)',
'Improve incident communication timelines to include full '
'scope details upfront'],
'references': [{'date_accessed': '2023-09-20T00:00:00Z',
'source': 'National Post',
'url': 'https://nationalpost.com'}],
'response': {'communication_strategy': ['Public disclosure via CIO statement',
'Media engagement (e.g., National '
'Post)'],
'containment_measures': ['Investigation launched',
'Unauthorized access terminated'],
'incident_response_plan_activated': True},
'stakeholder_advisories': ['Government of Canada CIO statement (2023-09-09)',
'ESDC spokesperson confirmation (2023-09-20)'],
'threat_actor': 'Unknown',
'title': 'Data Breach Affecting Canadian Federal Government Web Services via '
'2Keys MFA Provider',
'type': ['Data Breach', 'Phishing Attack', 'Credential Harvesting'],
'vulnerability_exploited': 'Unspecified software vulnerability in 2Keys MFA '
'system'}