Starting on 17 October 2019, Canada Post customers began receiving notifications that they needed to reset their passwords with Canada Post’s online service. Canada Post stated that this was not due to a specific data breach, but that customers’ data had been compromised in other data breaches.
Many users recycle the same login credentials across many different online services. Canada Post believes that in some cases, criminals were able to gain access to Canada Post online accounts by using credentials compromised in other breaches.
Canada Post said in a statement that, “this appears to be the result of credential stuffing, where login and password credentials stolen in external privacy breaches unrelated to Canada Post were paired and used to access some Canada Post accounts.
This is possible when users reuse their credentials on several websites to avoid having to remember different passwords.”
In 2018, 4500 Ontario Cannabis Store (OCS) customers had their personal information accessed in a data breach that was enabled by a Canada Post delivery tracking tool. The breach included postal codes, names of people who signed upon delivery, OCS and Canada Post reference numbers.
The customer who discovered the security flaw reported it to Canada Post and deleted personal information after contacting Canada Post.
Canada Post “held to a higher standard”
In the wake of the OCS data breach and incidents of credential stuffing, Canada Post said that it was reviewing its security policies to strengthen the security of its platform.
Canada Post said that it would begin notifying users whose credentials were compromised on 17 October, but as of writing, users are still being notified.
How to Protect Yourself
Users should use unique passwords across all their online services. Strong passwords should be a minimum of twelve characters in length, including lower and uppercase letters, symbols and numbers, avoid repetition, and not contain any information that can be linked to the user (pet names, birthdays, etc).