Personal Finance

I got an email from CRA saying my email address has been removed

  • Last Updated:
  • Feb 18th, 2021 2:30 pm
[OP]
Member
User avatar
Jun 2, 2017
233 posts
100 upvotes
Edmonton, AB

I got an email from CRA saying my email address has been removed

It turns out hundreds (if not thousands) of Canadians got this email as well. I was able to login and change my password right away but cannot navigate to the CRA homepage.

Here’s the tweet about it:
IT guy | dad | sneakerhead | everything Apple | AV enthusiast | new homeowner
20 replies
Deal Addict
Aug 28, 2010
1223 posts
306 upvotes
Toronto
Im in same boat, there is a reddit thread also with a ton of affected people. Must call to unlock account..... ugh 4 hr wait tomorrow.
Deal Addict
User avatar
May 8, 2007
1085 posts
329 upvotes
Fraser Valley, BC
Could this be relayed to the security problem from a few months ago, where hackers broke in and got some of our personal data? CRA maybe is making sure we update our account details in case hackers might try to impersonate us.

Recently I've been logging into CRA every week or so to check to see my updated TFSA contribution limit (banks are supposed to send in our recent contribution data early in year I think). On my most recent login CRA strongly recommended I change my password, and they also gt me to set up 2FA, which I did.

----------------
related movie entertainment: Blackhat (2015) - Chris Hemsworth plays a hacker sprung from prison to assist cops in tracking down crooks who are using computers to cause disasters, steal millions, etc.
https://www.imdb.com/title/tt2717822/
Deal Addict
Sep 14, 2012
1237 posts
836 upvotes
Montreal, QC
adams7 wrote: Recently I've been logging into CRA every week or so to check to see my updated TFSA contribution limit (banks are supposed to send in our recent contribution data early in year I think). On my most recent login CRA strongly recommended I change
You shouldn't trust that value. The only time you should trust that value is if you haven't made any withdrawals/contributions for an entire calendar year.

For example, currently my TFSA contribution limit shows the amount allowed as being $15k (which comprises of $6000 for 2020, the amount that I withdrew in December 2020 ($3000), and the amount for 2021 ($6000)). The entire amount of my 2020 contribution was done in late January 2020 and the amount that I withdrew in December 2020 and the amount for 2021 was contributed/deposited in late January 2021. We are now in February 2021 and the CRA TFSA limit doesn't even show the amount $6000 amount that I contributed back in the end of January 2020.
Deal Expert
May 30, 2005
44937 posts
5514 upvotes
Richmond Hill
One of our accounts received this email too yesterday. First though was that it was a phishing email but I couldn't identify what it is phishing for as there were no external links. Sender email address checked out, but could easily be spoofed. CRA's website about phishing said that they only ever send out emails to let you know you have new mail in their inbox, which added to the confusion. Guess it turns out this statement is false :lol:
Artisan woodworker crafting live edge tables, end grain cutting boards, and other home decor
Silver Coins | Philips Wake-Up Light with Radio | Heatware
Deal Addict
Jan 21, 2018
4324 posts
4377 upvotes
Vancouver
https://www.cbc.ca/news/technology/cra- ... -1.5916607

Still no information. Let's speculate...

There's a widespread problem that led the CRA to remove email addresses from a bunch of accounts. They claim it's not a security issue and there is no outside breach. It's an "investigation". So what could it be? How about an internal screwup where somebody at the CRA corrupted a lot of email addresses and lost the right ones?
Deal Addict
Aug 28, 2010
1223 posts
306 upvotes
Toronto
Do not call and go through Online services help portion i.e web account locked out. They do not have access to fix ERR 021 and transfering me to a diff dept. :(

4.5 hours on hold. Got through to someone after the transfer. They recommended i setup a Telephone PIN and then they disconnected me. I am so livid.
Deal Fanatic
Apr 16, 2007
7957 posts
3246 upvotes
Financial District B…
CRA suspends online accounts of over 100,000 Canadians after login credentials found for sale on dark web

If you received an unexpected and cryptic email on Feb. 16 from CRA warning that your email had been deleted from the agency’s web platform, do not worry

https://nationalpost.com/news/politics/ ... n-dark-web
----------------------------Licensed Credit Bureau member, S1, FI Automotive, CCP forums most banned = x 13 and counting, guess who that is?... stomped to the curb once again
Deal Addict
User avatar
Dec 15, 2001
3131 posts
811 upvotes
Toronto
mikeymike1 wrote: CRA suspends online accounts of over 100,000 Canadians after login credentials found for sale on dark web

If you received an unexpected and cryptic email on Feb. 16 from CRA warning that your email had been deleted from the agency’s web platform, do not worry

https://nationalpost.com/news/politics/ ... n-dark-web
Strange that these emails found on the dark web triggered CRA to take action on their end. What’s the correlation?

If I had to speculate/guess, data compromised through an online tax filing software...?
Deal Fanatic
Apr 16, 2007
7957 posts
3246 upvotes
Financial District B…
GSXXRR wrote: Strange that these emails found on the dark web triggered CRA to take action on their end. What’s the correlation?

If I had to speculate/guess, data compromised through an online tax filing software...?
Digital markers such as cookies and html digital signatures and other web analytic software such as webtrends creates a client footprint.
Possible/probable sign in attempts and/or account creations may have been a trigger

If you got that email from the CRA I would highly suggest you trash that email account and never use it again for anything especially if it is currently used as an account identifier.
Go create a new email address
----------------------------Licensed Credit Bureau member, S1, FI Automotive, CCP forums most banned = x 13 and counting, guess who that is?... stomped to the curb once again
Sr. Member
User avatar
Jun 25, 2008
601 posts
308 upvotes
mikeymike1 wrote: Digital markers such as cookies and html digital signatures and other web analytic software such as webtrends creates a client footprint.
Possible/probable sign in attempts and/or account creations may have been a trigger

If you got that email from the CRA I would highly suggest you trash that email account and never use it again for anything especially if it is currently used as an account identifier.
Go create a new email address
Email addresses are not secret information. They should be treated like any other identifier that is public knowledge, like a phone number.

Set up 2FA and randomized passwords on all of your online accounts that use email as the identifer. This should be done no matter if you were swept up in this sweep or not.

There's no point throwing away your email address. I'm not sure what problem mikeymike1 is trying to solve here.
Deal Addict
Jan 21, 2018
4324 posts
4377 upvotes
Vancouver
MikeMontrealer wrote: Email addresses are not secret information. They should be treated like any other identifier that is public knowledge, like a phone number.

Set up 2FA and randomized passwords on all of your online accounts that use email as the identifer. This should be done no matter if you were swept up in this sweep or not.

There's no point throwing away your email address.
True. But there are two problems with using email addresses as identifiers:

1. Since they are public, they attract an ever-increasing volume of spam over a couple of years. It's a good idea to clean up by getting rid of the old email address once in a while.

2. Many people rely on an email address issued by their ISP. That's foolish - it ties you to that ISP, and you will lose the email address if you change ISPs. Better to use something more portable like a Gmail address. Better still, get your own domain name and use your own custom email addresses (you never know when Google might start charging a fee for Gmail, or impose new restrictions).

A good practice is to use a custom email address with each service that asks for an email address. So for example if your base email name is tomhip, you can create a Gmail address like tomhip@gmail.com, and then use tomhip+anything@gmail.com (Gmail ignores anything after the +). So for example if company Ultramax wants your email address, you tell them it's tomhip+ultramax@gmail.com. That way you will know if Ultramax is sending you spam, or sold your email to spammers, and you can specifically block that email. Even better, if you create your own domain name like tomhip.com, then you can create your own email addresses like ultramax@tomhip.com, and easily delete them when you don't want them any more without affecting any other service.
Sr. Member
User avatar
Jun 25, 2008
601 posts
308 upvotes
Scote64 wrote: True. But there are two problems with using email addresses as identifiers:

1. Since they are public, they attract an ever-increasing volume of spam over a couple of years. It's a good idea to clean up by getting rid of the old email address once in a while.

2. Many people rely on an email address issued by their ISP. That's foolish - it ties you to that ISP, and you will lose the email address if you change ISPs. Better to use something more portable like a Gmail address. Better still, get your own domain name and use your own custom email addresses (you never know when Google might start charging a fee for Gmail, or impose new restrictions).

A good practice is to use a custom email address with each service that asks for an email address. So for example if your base email name is tomhip, you can create a Gmail address like tomhip@gmail.com, and then use tomhip+anything@gmail.com (Gmail ignores anything after the +). So for example if company Ultramax wants your email address, you tell them it's tomhip+ultramax@gmail.com. That way you will know if Ultramax is sending you spam, or sold your email to spammers, and you can specifically block that email. Even better, if you create your own domain name like tomhip.com, then you can create your own email addresses like ultramax@tomhip.com, and easily delete them when you don't want them any more without affecting any other service.
These are great suggestions for sure. I'm just saying if someone already is using a non-ISP email (i.e. a gmail), it may not be worth throwing it out every time it's involved in a breach, unless you are willing to change email addresses every so often.

Also, spam filtering has advanced to the point I rarely see spam in my gmail inbox itself - even though I've had my gmail since it was in early beta.

I do like the unique email for specific accounts idea, and you give great examples. Another would be to create multiple free email accounts (say your main one is protonmail, and your marketing one is gmail, or vice versa), and use the marketing one to sign up for everything unimportant/marketing related.
Member
Apr 16, 2020
262 posts
331 upvotes
Scote64 wrote: A good practice is to use a custom email address with each service that asks for an email address. So for example if your base email name is tomhip, you can create a Gmail address like tomhip@gmail.com, and then use tomhip+anything@gmail.com (Gmail ignores anything after the +). So for example if company Ultramax wants your email address, you tell them it's tomhip+ultramax@gmail.com. That way you will know if Ultramax is sending you spam, or sold your email to spammers, and you can specifically block that email. Even better, if you create your own domain name like tomhip.com, then you can create your own email addresses like ultramax@tomhip.com, and easily delete them when you don't want them any more without affecting any other service.
That works on the assumption that spammers aren't aware of this. In practice they just strip out anything after the plus on Gmail addresses.
Deal Fanatic
Feb 4, 2015
6403 posts
2808 upvotes
Canada, Eh!!
Suggest not to have name in email and use different ones for govt/financial along with google/msft authenticator and no telephone associated with email.
.......
July 13, 2017 to October 25, 2018: BOC raised rates 5 times and MCAP raised its prime rate next day each time.

2020: BOC dropped rates 3 times and MCAP waited and waited to drop its prime rate to include all 3 drops.
Deal Fanatic
Apr 16, 2007
7957 posts
3246 upvotes
Financial District B…
MikeMontrealer wrote: Email addresses are not secret information. They should be treated like any other identifier that is public knowledge, like a phone number.

Set up 2FA and randomized passwords on all of your online accounts that use email as the identifer. This should be done no matter if you were swept up in this sweep or not.

There's no point throwing away your email address. I'm not sure what problem mikeymike1 is trying to solve here.
Well it's obvious that if the CRA removed a clients email that email 'identifier' has been compromised and may not be accepted for use anymore.
And no email addresses are not treated like any other identifier. Identifiers are ranked/tiered by different security classes.
Your SIN number is a class 1 identifier as no one else can have it and it is not variable. Your home address is also an identifier but is variable as it can change and is a much lower class rank than a SIN identifier.
For match protocol you can supply us with just a sin and name and we will be able to find your file immediately. If you supply just name and address then the match protocol may find numerous people with same/similar identifiers.
Email identifiers are a lower class identifier because it is used publically (not private) and can be sold/traded. While it is mostly used for communication/correspondence the email address itself is now widely used as an identifier to an individual.
----------------------------Licensed Credit Bureau member, S1, FI Automotive, CCP forums most banned = x 13 and counting, guess who that is?... stomped to the curb once again
Sr. Member
User avatar
Jun 25, 2008
601 posts
308 upvotes
mikeymike1 wrote: Well it's obvious that if the CRA removed a clients email that email 'identifier' has been compromised and may not be accepted for use anymore.
And no email addresses are not treated like any other identifier. Identifiers are ranked/tiered by different security classes.
Your SIN number is a class 1 identifier as no one else can have it and it is not variable. Your home address is also an identifier but is variable as it can change and is a much lower class rank than a SIN identifier.
I said it should be treated as any other identifier that is *public knowledge* - much like a phone number or physical home address. I'm not sure why you compared it to a SIN number or why you're mentioning whichever classification you're talking about, neither of which I did.

And no, the email address is not compromised. It is simply known to have been involved in a breach. Enforcing a password change, and better yet, enforcing MFA would be enough to allow for the continued use of the email address.

Any cybersecurity design that relies on email address as a username and also relies on that being kept secret is a terrible design. Email addresses are not secrets. They're not designed to be secrets and are shared widely and freely. They cannot be compromised. That's like saying your home phone number has become compromised. Your email *account* can become compromised, sure. Not the address itself.
Deal Fanatic
Apr 16, 2007
7957 posts
3246 upvotes
Financial District B…
MikeMontrealer wrote: I said it should be treated as any other identifier that is *public knowledge* - much like a phone number or physical home address. I'm not sure why you compared it to a SIN number or why you're mentioning whichever classification you're talking about, neither of which I did.
You said all public identifiers should be treated as the same when they are not. Each one is ranked by security.
Your name, address, phone number, email address, birth date, drivers license number, are all 'public' identifiers but they are not all treated the same.
Using the SIN identifier as an example was to convey how our systems work but I can see it's no use explaining it.
MikeMontrealer wrote: And no, the email address is not compromised. It is simply known to have been involved in a breach. Enforcing a password change, and better yet, enforcing MFA would be enough to allow for the continued use of the email address.

Any cybersecurity design that relies on email address as a username and also relies on that being kept secret is a terrible design. Email addresses are not secrets. They're not designed to be secrets and are shared widely and freely. They cannot be compromised. That's like saying your home phone number has become compromised. Your email *account* can become compromised, sure. Not the address itself.
There are 4 main processes for client account recovery. In person, by voice (device), by mail, by electronic communication (email)
CRA stated 'login data' has been compromised and is being sold on the dark web.
How these people get into your account is they tap the forgot login pass or username - that gets the re-login data sent to the email account on file.(if they also know the other identifiers to get the reset) There's where the problem lies.
If your email has been compromised they can then retrieve that new login data.
----------------------------Licensed Credit Bureau member, S1, FI Automotive, CCP forums most banned = x 13 and counting, guess who that is?... stomped to the curb once again

Top