The Government of Canada says a recent cyber incident involving a third-party multi-factor authentication service exposed phone numbers and email addresses for certain users of Canada Revenue Agency (CRA), Employment and Social Development Canada (ESDC), and Canada Border Services Agency (CBSA) accounts.
The Office of the Chief Information Officer said the breach occurred between Aug. 3 and 15, 2025, after a routine software update created a vulnerability in the application interface of 2Keys Corporation, the MFA provider.
The company quickly identified the issue, notified the government, and launched an investigation. During the incident, a malicious actor sent spam text messages containing links to fraudulent phishing websites designed to resemble official Government of Canada sites.
Officials said there is no evidence that sensitive personal information beyond phone numbers and email addresses was accessed. The incident has been classified as a non-material privacy breach. The MFA service has since been restored and the software vulnerability addressed.
“Users of Government of Canada online services should remain vigilant if they receive unexpected messages alleging to originate from the government,” the statement said, urging users to follow cybersecurity best practices, including monitoring account activity, using complex passwords, and reporting suspicious messages.
The government said it is working with external cybersecurity experts to continue investigating the incident and stressed that robust systems are in place to monitor, detect, and respond to potential cyber threats.