OTTAWA -- A series of cyberattacks levelled against the Government of Canada exploited an internal “vulnerability” and leveraged previously hacked login information, leading to the breach of thousands of Canadians’ online Canada Revenue Agency accounts, federal officials say.

Over the weekend the Canada Revenue Agency temporarily shut down its online services and applications after hackers used thousands of stolen usernames and passwords to fraudulently access government services in three separate but serious breaches, comprising the personal information of thousands. 

While it was initially reported that 5,500 CRA account users had their personal information accessed, officials confirmed on Monday that a total of 11,200 accounts for Government of Canada services were compromised in the attacks. Officials said that one-third of accounts were used to actually log into government services, while the others are being monitored for suspicious behaviour.

These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications. 

In total there were more than 9,000 impacted “GCKey” accounts and 5,600 CRA accounts, though more than half of the CRA accounts were believed to be tied back to the initial “GCKey” breach, officials said. 

“The bad actors were able to use the previously hacked credentials to access the CRA portal. They were also able to exploit a vulnerability in the configuration of security software solutions, which allowed them to bypass the CRA security questions and gain access to a user's CRA account. This vulnerability was patched and the risk of this attack vector has been mitigated,” said Marc Brouillard, the acting chief information officer for the Government of Canada, during a Monday morning technical briefing on the incidents.

Government officials said they first became aware of security issues on Aug. 7, contacted the RCMP on Aug. 11, and yet Canadians were not informed until this weekend, after further attacks were executed. 

The CRA defended not notifying Canadians earlier, stating that plans needed to be made internally to notify people and help regain access to their breached accounts.

Officials would not comment on who may have been behind the attacks, referring to the malicious actor only as “the perpetrator.” 

The government says the cyberattacks used “credential stuffing” schemes, where batches of stolen passwords and usernames from other websites are tested using automated bots to try to access users’ other online accounts, taking advantage of the reality that despite advice against it, many Canadians reuse passwords and usernames across multiple online accounts. 

The temporary online shutdown comes as many Canadians and Canadian businesses are still relying on COVID-19 emergency federal aid programs to stay financially afloat, such as those accessing the Canada Emergency Response Benefit.

The CRA was able to re-launch its business portal, allowing employers to access their accounts. Monday is the first day employers could begin applying for the revamped federal wage subsidy program.

The estimate is that remaining online services will be back up and running by Wednesday.

“We are also implementing additional controls and we expect to have those in place by Wednesday. Once those controls are in place we believe that the services will be secured,” said Annette Butikofer, the CRA’s chief information officer, adding that CRA staff is “working around the clock” on this matter.

Officials suggested those needing to apply for aid or access their online services for another reason do so over the phone, but asked Canadians not to call to find out if they have been breached. 

Impacted individuals have had their accounts suspended, and the government is working on notifying all affected users and tallying the damage done by these cyberattacks. Government officials are encouraging all who suspect they have had their accounts compromised to report it, and check the status of other login accounts, such as online banking and to in the future always use unique logins and passwords, especially with services that hold personal information.

Impacted individuals will receive a letter from the CRA explaining how to confirm their identity in order to protect and restore access to their CRA account, the revenue agency says. 

The RCMP and federal privacy commissioner are investigating.  

With a report from CTV News’ Heather Wright