I got an email from CRA saying my email address has been removed

adams7 wrote: ↑ Recently I've been logging into CRA every week or so to check to see my updated TFSA contribution limit (banks are supposed to send in our recent contribution data early in year I think). On my most recent login CRA strongly recommended I change

Scote64 wrote: ↑ https://www.citynews1130.com/2021/02/16 ... ls-locked/

"CRA confirms the locked accounts were not because of a security breach, but rather an ongoing investigation"

mikeymike1 wrote: ↑ CRA suspends online accounts of over 100,000 Canadians after login credentials found for sale on dark web

If you received an unexpected and cryptic email on Feb. 16 from CRA warning that your email had been deleted from the agency’s web platform, do not worry

https://nationalpost.com/news/politics/ ... n-dark-web

GSXXRR wrote: ↑ Strange that these emails found on the dark web triggered CRA to take action on their end. What’s the correlation?

If I had to speculate/guess, data compromised through an online tax filing software...?

mikeymike1 wrote: ↑ Digital markers such as cookies and html digital signatures and other web analytic software such as webtrends creates a client footprint.
Possible/probable sign in attempts and/or account creations may have been a trigger

If you got that email from the CRA I would highly suggest you trash that email account and never use it again for anything especially if it is currently used as an account identifier.
Go create a new email address

MikeMontrealer wrote: ↑ Email addresses are not secret information. They should be treated like any other identifier that is public knowledge, like a phone number.

Set up 2FA and randomized passwords on all of your online accounts that use email as the identifer. This should be done no matter if you were swept up in this sweep or not.

There's no point throwing away your email address.

Scote64 wrote: ↑ True. But there are two problems with using email addresses as identifiers:

1. Since they are public, they attract an ever-increasing volume of spam over a couple of years. It's a good idea to clean up by getting rid of the old email address once in a while.

2. Many people rely on an email address issued by their ISP. That's foolish - it ties you to that ISP, and you will lose the email address if you change ISPs. Better to use something more portable like a Gmail address. Better still, get your own domain name and use your own custom email addresses (you never know when Google might start charging a fee for Gmail, or impose new restrictions).

A good practice is to use a custom email address with each service that asks for an email address. So for example if your base email name is tomhip, you can create a Gmail address like tomhip@gmail.com, and then use tomhip+anything@gmail.com (Gmail ignores anything after the +). So for example if company Ultramax wants your email address, you tell them it's tomhip+ultramax@gmail.com. That way you will know if Ultramax is sending you spam, or sold your email to spammers, and you can specifically block that email. Even better, if you create your own domain name like tomhip.com, then you can create your own email addresses like ultramax@tomhip.com, and easily delete them when you don't want them any more without affecting any other service.

Scote64 wrote: ↑ A good practice is to use a custom email address with each service that asks for an email address. So for example if your base email name is tomhip, you can create a Gmail address like tomhip@gmail.com, and then use tomhip+anything@gmail.com (Gmail ignores anything after the +). So for example if company Ultramax wants your email address, you tell them it's tomhip+ultramax@gmail.com. That way you will know if Ultramax is sending you spam, or sold your email to spammers, and you can specifically block that email. Even better, if you create your own domain name like tomhip.com, then you can create your own email addresses like ultramax@tomhip.com, and easily delete them when you don't want them any more without affecting any other service.

MikeMontrealer wrote: ↑ Email addresses are not secret information. They should be treated like any other identifier that is public knowledge, like a phone number.

Set up 2FA and randomized passwords on all of your online accounts that use email as the identifer. This should be done no matter if you were swept up in this sweep or not.

There's no point throwing away your email address. I'm not sure what problem mikeymike1 is trying to solve here.

mikeymike1 wrote: ↑ Well it's obvious that if the CRA removed a clients email that email 'identifier' has been compromised and may not be accepted for use anymore.
And no email addresses are not treated like any other identifier. Identifiers are ranked/tiered by different security classes.
Your SIN number is a class 1 identifier as no one else can have it and it is not variable. Your home address is also an identifier but is variable as it can change and is a much lower class rank than a SIN identifier.

MikeMontrealer wrote: ↑ I said it should be treated as any other identifier that is *public knowledge* - much like a phone number or physical home address. I'm not sure why you compared it to a SIN number or why you're mentioning whichever classification you're talking about, neither of which I did.

MikeMontrealer wrote: ↑ And no, the email address is not compromised. It is simply known to have been involved in a breach. Enforcing a password change, and better yet, enforcing MFA would be enough to allow for the continued use of the email address.

Any cybersecurity design that relies on email address as a username and also relies on that being kept secret is a terrible design. Email addresses are not secrets. They're not designed to be secrets and are shared widely and freely. They cannot be compromised. That's like saying your home phone number has become compromised. Your email *account* can become compromised, sure. Not the address itself.