The federal government’s $8.76‑million settlement over credential‑stuffing attacks on Canada Revenue Agency (CRA) online accounts may bring a six‑year legal battle to a close, but it does not end the risk for Canadians whose data was exposed.
According to two cyber experts, the kind of “old school” attack used against CRA is exactly the type of crime that artificial intelligence is poised to supercharge, and too many organizations still treat basic protections like multi‑factor authentication (MFA) as optional.
For Jack Brooks (pictured left), BOXX Insurance’s virtual Chief Information Officer (vCISO), the first lesson from the CRA case is how mundane the underlying attack really was.
“The number one lesson to take away from this is that cyber attacks don’t need to be sophisticated to be quite devastating,” Brooks said in an interview with Insurance Business. The CRA incident, he noted, did not rely on cutting‑edge exploits or unknown software flaws. Instead, attackers reused usernames and passwords stolen in earlier breaches from other websites and ran them in bulk against federal government portals.
Brooks described it as “basic password reuse” on a massive scale. Rather than “a fancy hacking effort,” the attackers used an automated credential‑stuffing campaign – systematically trying credential pairs from past leaks until they found combinations that opened accounts on CRA’s My Account portal and other federal services.
That simplicity is precisely what makes the case troubling.
Neal Jardine (pictured right), chief cyber intelligence and claims officer at BOXX Insurance, said the CRA breach should be a wake‑up call for how organizations think about logins in 2026.
“Organizations need to shift away from the assumption that passwords are private. In today’s environment, credentials should be treated as inherently exposed, and security models must be built around layered identity verification, behavioural monitoring, and resilience, not trust in a password alone,” Jardine said. That means designing systems on the assumption that email‑and‑password alone are not reliable proof of identity.
In the CRA incident, hackers combined reused credentials with other bits of personal information gleaned from previous data exposures. With those pieces in hand, they were able to break into accounts and, in many cases, apply for pandemic‑era benefits such as CERB and CESB in victims’ names.
From Jardine’s perspective, the problem was not only the stolen passwords, but also how much weight the system placed on them – and how few roadblocks stood in the way once the attackers started trying those logins at scale.
“What makes incidents like this concerning is not the sophistication of the attack, but the scalability of it,” he said. “Credential stuffing has existed for years, but AI and automation are dramatically increasing the speed, precision, and volume at which attackers can operationalize stolen data.”
Jardine noted the attack was highly automated, allowing threat actors to test large volumes of credentials rapidly against government systems.
“The absence of stronger controls around login attempts and layered identity verification created an environment where attackers could continue probing accounts at scale,” he said. “From a cybersecurity perspective, that’s a fundamental hygiene issue.”
Both experts stressed that the CRA incident underscores how important it is to treat multi‑factor authentication and other secondary checks as a baseline, not a nice‑to‑have.
“It’s basic security hygiene,” Brooks said. “MFA is no longer optional.” He added that this is a conversation BOXX has repeatedly with clients who run customer portals and worry about making the process more complicated.
“I know you don’t want to create a lot of friction to get in,” he tells them. “But when these sorts of events happen, they can be quite devastating for your client and the trust that they place in your business. You need multi‑factor authentication in place.”
In CRA’s case, additional safeguards existed but were in large part optional for users.
That pattern (optional MFA, unlimited or weakly‑limited login attempts, and a heavy reliance on passwords) is still common across industries, they warned.
“Think of social media,” Brooks said. “You don’t have to use multi‑factor, but think of the treasure trove from the social‑engineering point of view. While you may not care about certain data, criminals can use it and compare it to other data to develop a very detailed profile about their victims. Publicly accessible profiles can provide all manner of clues about a person’s life that criminals can later exploit to bypass other verification steps.”
If the attacks themselves were not particularly advanced in 2020, the environment around them has changed dramatically since.
Jardine said the “modern cyber attack” is increasingly about aggregating and mining the vast troves of personal data spilled in breaches over the past decade, and that is where AI is becoming a significant force multiplier.
“AI is changing the economics of cybercrime.” He said. “What once required significant manual effort can now be automated at scale, allowing threat actors to aggregate breached datasets, correlate identities across platforms, and rapidly identify the most exploitable individuals, businesses, and access points.”
“We are entering an era where historical data breaches never truly disappear,” Jardine added. “AI is turning years of leaked information into a continuously reusable attack surface.”
Despite their criticisms of controls, both Jardine and Brooks stressed that there are clear lessons to be learned.
“The broader issue is that cybercriminals are operating in an environment where enormous volumes of historical data are already circulating online, and AI is making that information significantly easier to weaponize," Jardine said.
What matters now, they said, is not apportioning blame but absorbing the lessons. For organizations, that means assuming passwords are compromised, enforcing layered defenses, and making MFA and rate‑limiting non‑negotiable. For policymakers, it may mean raising the minimum bar for how public bodies handle identity data and authenticate citizens.
