Over 800,000 more CRA accounts Locked Out !! | Income tax filing | Discussion forum

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Over 800,000 more CRA accounts Locked Out !!
March 13, 2021
9:34 am
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 1262
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
CBC News Link https://www.cbc.ca/news/politics/cra-accounts-locked-1.5947714

And just as this year's tax season gets underway ❗

      Dean sf-confused

sf-cool " Live Long And Prosper " sf-cool

March 13, 2021
10:17 am
Norman1
Member
Members
Forum Posts: 5464
Member Since:
April 6, 2013
sp_UserOfflineSmall Offline

It looks like CRA is obtaining lists of e-mail addresses and passwords being sold and seeing if the passwords also work against people's CRA accounts:

As part of its cybersecurity efforts, CRA will lock all accounts that use the same login information as other accounts that have been made available on the so-called "dark web", a part of the internet that can be accessed only through a special browser.

March 13, 2021
10:40 am
Doug
British Columbia, Canada
Member
Members
Forum Posts: 3815
Member Since:
December 12, 2009
sp_UserOfflineSmall Offline

Norman1 said

"dark web", a part of the internet that can be accessed only through a special browser.

  

Thanks, Norman. Reading between the lines of the above further, it looks like they're specifically referring to content available on the Tor anonymity network. I'm a bit surprised they actually made a point of mentioning "a part of the internet that can be accessed only through a special browser," though, since the so-called "dark web" includes more than just websites available through the Tor network.

Cheers,
Doug

March 13, 2021
1:53 pm
Bill
Member
Members
Forum Posts: 3347
Member Since:
September 11, 2013
sp_UserOfflineSmall Offline

CBC acts like 800,000 is a lot (just like with the vaccines) but this affects relatively few people, about 3% of filers. In our family 3 tried to access My Account today, all had zero problems.

March 13, 2021
3:00 pm
Kidd
Member
Banned
Forum Posts: 840
Member Since:
February 27, 2018
sp_UserOfflineSmall Offline

Bill said
CBC acts like 800,000 is a lot (just like with the vaccines) but this affects relatively few people, about 3% of filers. In our family 3 tried to access My Account today, all had zero problems.  

This 800,000 in March is in addition to the 100,000 in February.

Bill, if everyone in canada used the cra web link, then maybe some might consider 900,000 a small number. This number is huge. Sadly this happens every year to the cra, every year. In past the cra have extended the filing date. Ohhhhhh canada

March 13, 2021
5:34 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 2056
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

Except it is not a CRA breach. It is user id and password info CRA has found on the dark web from other third party breaches. To the extent CRA is finding passwords that are the same as what people are using to login to CRA, this is on the taxpayer, not CRA. They are doing some taxpayers good service by protecting them from themselves.

March 13, 2021
7:11 pm
Kidd
Member
Banned
Forum Posts: 840
Member Since:
February 27, 2018
sp_UserOfflineSmall Offline

So the story goes??? the cra found canadian email addresses and passwords on the dark web? The cra is doing a cross reference to see if those Canadian's use the same password on the cra web site?

So... if the cra have blocked 900,000 cra user accounts. the cra must have found ballpark 15 million email addresses and passwords on the dark web, to determine 900,000 of those are used on the cra web site? Really???

Well, believe that if you will. BUT HONESTLY the cra do NOT have the a ability to cross reference "found" email passwords. Have you heard of other countries doing this?

A more likely scenario... someone at the cra was mining bitcoin using the cra servers. To do so, the servers must have lowered their firewalls and a data breach occurred. The cra are the ones who released the email information. That's more plausible.

Canada home of the Phoenix payroll boondoggle. Our government employees use Velcro to close their shoes because they don't know how to tie them.

March 13, 2021
7:27 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 2056
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

I am of the opinion CRA would not blatantly lie to this degree on such a visible matter, so I will give them the benefit of the doubt for the time being.

March 13, 2021
7:37 pm
Kidd
Member
Banned
Forum Posts: 840
Member Since:
February 27, 2018
sp_UserOfflineSmall Offline

AltaRed... most people use the likes of gmail, outlook etc... how do you distinguish Canadian?

March 14, 2021
7:30 am
savingtime
Newbie
Members
Forum Posts: 1
Member Since:
September 15, 2020
sp_UserOfflineSmall Offline

Kidd said
Well, believe that if you will. BUT HONESTLY the cra do NOT have the a ability to cross reference "found" email passwords. Have you heard of other countries doing this?
 

This statement may have been correct 5 years ago, but there are now online resources that allow you to look up a database of passwords against known breached/stolen passwords.

See the following link:
https://www.troyhunt.com/welcoming-the-canadian-government-to-have-i-been-pwned/

This service collates passwords found on the dark web and allows registrants to query against encrypted (hashed, to be precise) passwords for matches. It's a legit and reputable service.

What has likely happened is that CRA has run the query and found 800,000 passwords that were a hit against the breached password database. No need to know the associated username or email address. Just the password.

March 14, 2021
3:01 pm
AltaRed
BC Interior
Member
Members
Forum Posts: 2056
Member Since:
October 27, 2013
sp_UserOfflineSmall Offline

savingtime said
What has likely happened is that CRA has run the query and found 800,000 passwords that were a hit against the breached password database. No need to know the associated username or email address. Just the password.  

Agreed. The password is the critical part. But CRA could also have looked for matches at a User ID level too, whether that User ID is an email address or some other alphanumeric combination. To me, User ID matching would be overkill...unless it was matched with a password as well - in which case the door to the vault is open.

March 14, 2021
4:05 pm
Dean
Valhalla Mountains, British Columbia
Member
Members
Forum Posts: 1262
Member Since:
January 12, 2019
sp_UserOfflineSmall Offline

.
And now ... the Expert's chime in :

Quote :

    "In what might be considered the most complicated tax season yet, Canadians who have lost access to their accounts will be unable to regain access until at least March 22, according to the CRA."

.
A Sad State Of Affairs ❗ sf-confused

    Dean

sf-cool " Live Long And Prosper " sf-cool

March 14, 2021
7:06 pm
Kidd
Member
Banned
Forum Posts: 840
Member Since:
February 27, 2018
sp_UserOfflineSmall Offline

I would ask, why is this only a canadian phenomena? The IRS must be doing the same to protect the American tax payer?

OR are you under the belief, canada is cutting edge, an innovator, the leader of the pack?

OR maybe just maybe... because canada outsources everything, the cra willingly gave all of our data to a 3rd party to alphabetize.

March 15, 2021
6:31 am
Alexandre
Member
Members
Forum Posts: 738
Member Since:
November 8, 2018
sp_UserOfflineSmall Offline

I suspect outsourcing.

My personal experience: have not had fake CRA calls at all. One year, CRA requested support documentation on tax deductions I claimed.
Since that year, I am routinely getting fake CRA calls about my taxes.

Ironically, not all CRA calls, does not matter how unrealistic they sound, are fake: Check your paperwork or you may wind up with an $8M tax bill like this barista.

March 15, 2021
8:20 pm
Save2Retire@55
Member
Members
Forum Posts: 794
Member Since:
January 3, 2013
sp_UserOfflineSmall Offline

Kidd said
So the story goes??? the cra found canadian email addresses and passwords on the dark web? The cra is doing a cross reference to see if those Canadian's use the same password on the cra web site?

So... if the cra have blocked 900,000 cra user accounts. the cra must have found ballpark 15 million email addresses and passwords on the dark web, to determine 900,000 of those are used on the cra web site? Really???

Well, believe that if you will. BUT HONESTLY the cra do NOT have the a ability to cross reference "found" email passwords. Have you heard of other countries doing this?

A more likely scenario... someone at the cra was mining bitcoin using the cra servers. To do so, the servers must have lowered their firewalls and a data breach occurred. The cra are the ones who released the email information. That's more plausible.

Canada home of the Phoenix payroll boondoggle. Our government employees use Velcro to close their shoes because they don't know how to tie them.  

We use a service in our company to do this exact thing. We do it monthly and tell the employee to reset their password immediately. Basically, we tell the employee! Hey. Isn't this your username / password that you use on this and this and this site? That scares them enough to start using different passwords.

Plus the MFA of course.

Please write your comments in the forum.