Emails and Phone Numbers Accessed in Cyberattack on Federal Accounts

OTTAWA — The federal government has confirmed that email addresses and phone numbers linked to accounts with the Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and Canada Border Services Agency (CBSA) were accessed in a recent cyberattack.

According to the Treasury Board of Canada Secretariat, the government was notified of the incident on August 17 by 2Keys Corporation, the provider of the multi-factor authentication (MFA) service used for these accounts. 2Keys promptly launched an investigation in collaboration with external cybersecurity experts.

The breach was traced to a routine software update that created a vulnerability. This allowed a malicious actor to access phone numbers associated with CRA and ESDC accounts, as well as email addresses linked to CBSA accounts, for individuals using the MFA service between August 3 and August 15.

Authorities reported that some affected individuals received spam text messages containing links to a website designed to appear as an official Government of Canada page.

Also Read: Updates on the Canada federal cyberattack affecting CRA, ESDC, and CBSA accounts.

The Treasury Board confirmed that the MFA service has been restored and emphasized that there is no evidence that any additional sensitive personal information was disclosed.

This report was originally published by The Canadian Press on September 9, 2025.