Credential-Stuffing Attack on My Service Canada Account
Automated attacks use email-password pairs from unrelated data breaches to break into My Service Canada Account (MSCA) portals. A successful login allows attackers to redirect Employment Insurance and Old Age Security direct deposits to their own accounts.
Part of: Credential Stuffing Account Fraud
Last reviewed: 8 June 2026
My Service Canada Account is a high-value target for credential-stuffing attacks because it controls direct-deposit instructions for Employment Insurance, Old Age Security, and Canada Pension Plan payments. Millions of Canadians use the portal, and many reuse passwords from other websites, making a fraction of breach-tested credentials successful.
Attackers run automated tools overnight that test credential lists against the MSCA login page. For each successful login they change the linked bank account before the victim next checks their account. The first indication for most victims is a missed payment that did not arrive on the expected date.
Service Canada is not responsible for passwords leaked from other services. However, using a unique password for MSCA and enabling multi-factor authentication closes this attack vector entirely.
How this scam works on the Service Canada brand
An attacker purchases a credential list from a dark-web marketplace containing millions of email-password pairs from past breaches of unrelated sites. Automated tooling tests each pair against the MSCA login endpoint. For accounts where the combination is valid, the tool flags the access and the attacker — or a buyer of the access — logs in manually.
Within the MSCA, the attacker navigates to payment settings and changes the direct-deposit banking details to a prepaid card or money mule account. EI claimants, pensioners, and CPP recipients typically notice the fraud only when an expected deposit does not arrive.
In some cases the attacker does not immediately change banking details but instead reads SIN and benefit-level information to sell to identity fraudsters or use in a secondary targeted phishing attack.
Common red flags
- You receive an MSCA notification about a profile or banking change you did not make
- An expected EI, OAS, or CPP payment does not arrive on the expected date
- You use the same email and password for MSCA as for other websites that have previously been breached
- A login attempt notification from MSCA arrives at an unusual time or from an unrecognised location
- Your MSCA shows a new banking record you did not add
- You receive a confirmation email for an account action you did not perform
How to protect yourself
- Use a unique, strong password for MSCA that is not used on any other site
- Enable GCKey multi-factor authentication on your MSCA
- Check haveibeenpwned.com to see if your email has appeared in known breaches
- Log in to MSCA at canada.ca/my-account periodically to verify your banking and personal details
- If you receive an unexpected account-change notification, log in immediately and reverse the change
- Contact Service Canada at 1-800-206-7218 if you cannot access your account
- Place a fraud alert with Equifax Canada and TransUnion Canada if your SIN may have been exposed
How to report it
- Report account compromise to Service Canada at 1-800-206-7218
- Report to the Canadian Anti-Fraud Centre at antifraudcentre.ca or 1-888-495-8501
- File a report with the RCMP if benefit fraud is confirmed
- Report to the Office of the Privacy Commissioner of Canada at priv.gc.ca if personal data was accessed
- Contact your bank if a payment was redirected to a fraudulent account
Frequently asked questions
Did Service Canada suffer a data breach that exposed my credentials?
In a credential-stuffing attack, the credentials were leaked from a different website you used. Service Canada itself may not have been breached. The attack exploits password reuse. Using a unique password for MSCA prevents it entirely.
How do I reset my MSCA access if the attacker changed my email and password?
Call Service Canada at 1-800-206-7218 and request identity verification to regain access to your account. Have government-issued identification ready. If your SIN was compromised, report it to the RCMP.
Can I see who logged in to my MSCA and when?
MSCA does not currently provide a detailed login history to users, but it does send email notifications for account changes. Enable those notifications in your profile settings and check your email regularly for alerts.