The Canada Revenue Agency locked more than 800,000 taxpayers out of its online platform on Saturday after an investigation revealed that some usernames and passwords may have been obtained by "unauthorized third parties."
On Friday, the agency said the move is a precautionary cybersecurity measure and is being taken after a similar action in February, when over 100,000 accounts accounts were locked.
"Like the accounts that were locked in February, these user IDs and passwords were not compromised as a result of a breach of CRA's online systems. Rather, they may have been obtained by unauthorized third parties and through a variety of means by sources external to the CRA," said CRA in a news release.
The agency cited external data breaches and email phishing scams as possible sources of compromised personal information.
As part of its cybersecurity efforts, CRA will lock all accounts that use the same login information as other accounts that have been made available on the so-called "dark web", a part of the internet that can be accessed only through a special browser.
The agency said that such "preventative measures ... may become more frequent to safeguard taxpayers' information."
CRA's move comes in the middle of one of the most complicated tax seasons in recent memory, as millions of Canadians prepare to file taxes after receiving COVID-19 benefits.
WATCH | What to do if you've been locked out of your CRA account:
Next steps for locked accounts
Affected taxpayers will have their emails removed from their accounts, the agency said, and won't be able to reset passwords using the traditional method on the agency's website. Those who try will receive an error message.
Affected individuals will receive instructions on how to regain access to their CRA account, the agency said. Those who have signed up for email notifications from CRA My Account will receive emails, while other affected individuals will receive their instructions by mail.
Individuals can also regain access to their CRA account by using a different login method, such as their banking login, or by creating a new user ID and password, which requires requesting that a unique personal identification number (PIN) be sent by mail.
The issues should be fixed by March 22, CRA said, but anyone who hasn't been able to regain access by that date should call the agency.
Affected individuals can visit this webpage for more information.
In order to ensure their personal information remains safe, CRA is encouraging all users of its services to do the following:
Create a personal identification number (PIN) in CRA My Account to help confirm their identity on future calls with the CRA.
Sign up for email notifications.
Monitor their accounts for suspicious activities, including unsolicited account changes.
Change passwords regularly.
Keep account information up to date.
Install software to remove malware from computers and devices.