Canadians: if you’ve tried to access your CRA accounts recently, you probably noticed that you can no longer log in. That’s because normal access has been disabled while the CRA works to undo the damage caused by two recent attacks on their services.

The CRA systems were penetrated by persons unknown over the past two weeks. According to the CRA, the breaches have been contained, but the My Account, My Business Account and Represent a Client services have been disabled as a precaution.

Several thousand user accounts have been compromised. Starting in early August, unusual and unauthorized access to accounts was noticed by the account holders and reported to the CRA. In some cases, email, banking, and other account details were changed by the attackers. Fraudulent CERB payments were also issued.

Access to the compromised accounts was apparently gained via ‘credential stuffing’, which is based on the sadly-still-true fact that many people continue to use specific passwords on multiple systems. To be clear: if nobody ever did that, this type of attack would never be successful.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” according to a statement from the CRA.

The CRA is in the process of alerting people whose accounts were compromised.