TORONTO -- When Leah Baverstock received an email on August 7 telling her that her application for the Canadian Emergency Response Benefit (CERB) had been approved, she was more than a little confused.
After all, she hadn鈥檛 applied to the program.
Baverstock is one of thousands of Canadians who had their accounts with the Canada Revenue Agency compromised this month after a 鈥渃redential stuffing鈥 scheme, in which hackers used previously obtained personal information, such as logins and passwords, to access users鈥 online accounts.
鈥淚t鈥檚 definitely scary times,鈥 Baverstock told CTV News Channel. 鈥淚 hadn鈥檛 applied for the CERB, so that was a bit of a shocker, so I ended up calling the CRA.
鈥淭he lady I spoke with said it was a one-off. She said, 鈥業鈥檓 sorry that this happened to you,鈥 she proceeded to give me a list of people to call, to let them know it had happened. And then I heard about the other 5,000 or 9,000 people that this happened to, and I thought, 鈥楾his is not a one-off.鈥欌
Officials confirmed Monday that the 5,500 CRA accounts initially reported to have been breached were the tip of the iceberg: a total of 11,200 accounts for the Government of Canada services were compromised in the attack, including CRA accounts and 鈥淕CKey鈥 accounts, which 30 government departments use.
Marc Brouillard, the acting chief technology officer for the Government of Canada, said Monday that 鈥渂ad actors [鈥 were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to a user's CRA account.鈥
Government officials have said that they first became aware of a security breach on Aug 7 -- the same day Baverstock reports calling the CRA about her account -- but didn鈥檛 contact the RCMP until Aug 11.
And Canadians were not informed of the breach until this past weekend, days after further attacks had been executed.
The CRA has defended its decision not to inform Canadians immediately, saying it needed time to inform people internally and try to regain access to breached accounts.
鈥淚 think about your social insurance number being your Canadian identification number, and I think if somebody has access to that, than they have access to basically anything,鈥 Baverstock said.
鈥淪o I called the anti-fraud unit -- they鈥檙e closed due to COVID. I called Service Canada, I let them know about what was happening with my social insurance number.鈥
She said she鈥檇 also been in contact with her bank and other accounts she has 鈥渢o let them know it鈥檚 happened, to put some additional security in place if somebody does try to apply for credit in my name.
鈥淏ut it concerns me because somebody could live under my name, under my social insurance number,鈥 she pointed out. 鈥淟ive as me.鈥
Experts in cyber security say that reusing your passwords and logins can make you vulnerable to these types of attacks, since one breach of one account could give a hacker the tools to login to numerous accounts as you.
But passwords aren鈥檛 the full picture of this breach.
Baverstock says she didn鈥檛 even have a password for her CRA account.
鈥淎pparently you need a code to get in, so I applied for the code back in March and they said they would mail it to me,鈥 she said. 鈥淚 still haven鈥檛 received it, and I can鈥檛 even log into my CRA account, so it blows my mind that other people can.鈥
Baverstock is not impressed with the CRA鈥檚 response, saying she still has no idea what is happening with her account.
鈥淲hen I spoke to the officer at CRA, she advised that a senior officer would call me within 24 hours, because my account has been completely locked down,鈥 she said. 鈥淚 can鈥檛 have any information.鈥
She said she still has not received a call back.
鈥淚t鈥檚 been over a week,鈥 she said. 鈥淭he CRA agent, she said that there are been multiple attempts to go into my account over the past little while, I guess they can see that in their system, so, I mean I鈥檓 thinking at that point they should鈥檝e locked my account down right then and there and notified me.
鈥淭his should never have happened.鈥
