The text messages arrived late at night, disguised as official government alerts. Each contained a familiar seal, a link that appeared trustworthy, and an urgent request to log in. For more than 880,000 Canadians, those fraudulent messages were the first visible sign of a data breach that had quietly siphoned their phone numbers and email addresses from the very system meant to protect their online identities.
The breach was traced back to Interac-owned 2Keys, a software provider responsible for the multi-factor authentication used by the Canada Revenue Agency, Service Canada and the Canada Border Services Agency. Officials confirmed that hackers gained access to roughly 85,000 email addresses and nearly a million phone numbers. What followed was a wave of phishing attempts that mirrored official federal portals, tricking some recipients into handing over their credentials.
At the time, the government’s Chief Information Officer downplayed the event as a “non-material privacy incident,” noting that no highly sensitive data — such as banking details, addresses, or Social Insurance Numbers — had been exposed. Yet the stolen information was valuable enough for cybercriminals to mount a large-scale spam campaign, targeting unsuspecting users with convincing digital bait.
When pressed, Employment and Social Development Canada acknowledged the true scope of the breach after weeks of inquiries, confirming that hackers were able to send more than 881,000 fraudulent messages. Despite the scale, government spokesperson Mila Roy insisted no fraudulent activity or compromised accounts had been detected. “The data accessed did not include any additional personal identifiable information or sensitive personal data,” she said, emphasizing that stolen phone numbers and emails alone were not sufficient to break into federal accounts.
But the incident underscores how even limited personal data can be weaponized when paired with well-crafted deception. A spoofed text, a cloned login page, and a moment of panic are sometimes all it takes to persuade someone to surrender sensitive credentials. Security experts warn that phishing schemes remain among the most effective tactics in the hacker’s arsenal, particularly when they exploit the authority of government institutions.
The revelation has renewed scrutiny over Ottawa’s reliance on third-party digital security providers. Interac’s 2Keys platform was designed to add a layer of protection by sending one-time codes via text, call, or email to confirm user identities. That same system has now become a weak point, compromised in a way that exposed nearly a million Canadians to attempted fraud.
