CRA account lockdown

Are we all anticipating tomorrow’s lockdown of 800,000 CRA accounts?? Mine has been locked twice this year, and I’m not looking forward to tomorrow. Maybe stay up all night downloading client info.

I’m hoping at least one person in my office won’t be locked down. I don’t want to spend the night downloading 100’s of clients info!

As a precautionary measure, I just spent the last 2 hrs on CRA’s site doing the AFR’s and reviewing client data for those clients that have started an engagement and waiting in the queue for processing. This also involved submitting several AuthRep’s and submitting a copy of the Death Certificate and Will for an estate. At 2:00 am, I was surprised that I wasn’t locked out at 2:00 am, however, I was receiving the message that data was no longer available for some things. I accomplished everything I needed to do by this time as a just in case clause, however I don’t feel I need to worry about my account as I’ve never had issues. My username is unique to CRA (even I can’t remember it), and my CRA password is 64 characters long. I always copy/paste them from my password manager to access CRA’s site.

I wish I’d seen that article yesterday, but I was too busy working :laughing:. I would have started a download frenzy too. I got lucky and can access my account, but my partner can’t. My userid is unique to CRA too, and I changed my password for the season in late February. It sounds like that might be the significant factor. If I’m understanding it, they had reason to believe the userid/pw combinations could be compromised by use on other sites. Something to think about when setting back up.

I’m wondering if registering for a new username/pw will impact a preparer’s RepID.

I was OK at 1:00am when I quit for the night. Looked good this morning until about noon when I received the dreaded email. But, at least they gave instructions on how to get back in. I chose the RAC option and went through the steps to change my username and password. I was already set up with 2FA. Just checked and My Account, My Business Account, and RAC are all operational. My username was always unique to CRA, so that couldn’t have been the issue. Don’t know why I was picked on 3 times this year. Maybe CRA thinks everyone east of Ontario/Quebec are country bumpkins snacking on salt cod bits, and deserve to be cut off. Well, NS had one case of COVID yesterday. Who’s laughing now?

Curious that an account would be locked out where the user/pass is unique to the site. Two possibilities immediately come to mind:

  • the username was used elsewhere and was found in a breach list
  • the password was used elsewhere and was found in a breach list

Either of the above may not have been “you”…just someone else using the same string.

Both might be checked by going to but they may, or may not be there yet.

One of the interesting things - and no one seems to really mention this on any of the GCkey sites: the username does NOT need to be an email address. It can be anything: “GreenCheeseOnTheMoon” is perfectly acceptable as a username. Any alphanumeric character string is fine AFAIK.

And yes, using a password manager like 1 Password to generate lengthy passwords is a “must do” these days, yet MANY people just don’t want to spend the small amount they cost on security that will fix/mitigate a host of problems. Yes, they are inconvenient. Being locked out of important accounts is more inconvenient.

And, for all we know, CRA locked accounts to which neither of the conditions apply for other reasons as yet known only to them!!

1 Like

I don’t think we will ever know what the actual issue is… and it seems to be ongoing. In an effort to be somewhat transparent they spoon out some word salad to the media regarding compromised user accounts. After the media has finished reporting the story a reasonably educated person should be able to understand what was reported. Instead, people are left just as confused after hearing the report because the media skirts around what actually happened… likely because they don’t even know themselves. This lack of information or misinformation is deliberate.

They never came out and admitted last summer’s breach was a direct result of Service Canada logins being harvested and hackers using an individual’s stolen My Service Canada Account login to jump over to their CRA account (change their banking info & apply for 8 CERB payments). All this because they left a clickable link on your My Service Canada Account that went straight into your CRA My Account (even if you didn’t have a CRA My Account). Instead, fed the media information that made it seem like individuals used the same username and passwords on several websites and it was those sites that were breached. How would they even know that? Think about it… How could they realistically know what passwords a person uses on other websites, unless they are in possession of those databases? How about just admitting it was their own lack of security and just owning it?

What I also found funny (sad?) about yesterday’s story… Whatever vulnerability made it necessary to lock 800,000 Canadians out of their CRA accounts was reportedly discovered back in February. The potential impact of this breach was so severe they were able to get this lock out done literally within weeks of its discovery… and also announce to the would be hackers a few days ahead of time they are going to lock down accounts. A few weeks is as quick as we are able to react?

1 Like

Can’t disagree with a lot of what you said @snowplowguy, except for this part:
“How could they realistically know what passwords a person uses on other websites, unless they are in possession of those databases?”

This is actually trivially easy. There are any number of sites (the one I quoted above is just one of many) and utilities (1 Password eg) or services (WebRoot eg) that scour the Dark Web for lists of breached user/pass combinations. There are also - quite literally - thousands of lists of these, mostly for sale to would-be-thieves and hackers.

What makes Have I Been Pwned interesting is also its adjunct which checks pwned passwords.

(Note: for those who don’t know “pwned” is pronounced like p followed by “owned” and is a hackerism denoting that they own you.)

Try it: it’s fun. I just typed in “mydoghasfleas” - guess what - pwned.
Also “Gretzky99” “Beauty456” “dumbpassword” “canadaisgreat”
Oddly “ihatecra” is good…although it is FAR too short.

So these databases (some are public, on pastebin) can be used to determine if a user/pass combo has been found elsewhere. Or if a password has been breached somewhere. 1Password, for instance, will notify a user if such is the case (even if the user/pass combo is different!)

As well, as sysadmins, we have (if we know where to look!) lists of passwords NOT to allow in our systems (like “Pa55w0rd”).

And, it’s hard to outguess a computer, which can process transactions at unbelievable rates if unhindered in the number of retries.