Canadian Government MFA Provider 2Keys Suffers Major Data Breach — What You Need to Know & Do

A recent security incident has shaken confidence in one of Canada’s core authentication systems. 2Keys, the multi-factor authentication (MFA) provider used by Canadian federal services (like CRA, ESDC, CBSA), has confirmed a data breach affecting about 880,000 phone numbers and 85,000 email addresses linked to government accounts.  

Though the breach reportedly did not include passwords, Social Insurance Numbers, or other highly sensitive personal data, the exposed contact information is still valuable to threat actors. Phishing, scam campaigns, and identity verification attacks could follow.  

Here’s what happened, why it matters, and what you should do now — with a look through the lens of CIFDS’ approach to helping victims and protecting organizations.

What Happened: A Closer Look

• The breach occurred during a routine software update by 2Keys between August 3 and ~two weeks later.  
• Attackers gained access to phone numbers and email addresses used for MFA verification (used to send codes or notifications).  
• According to the government, no additional personally identifiable information (PII) was accessed — meaning names, addresses, or government identifiers were not exposed.  
• No signs so far of fraudulent access to government accounts, but incidents of spam, phishing, or fraudulent messages tied to the stolen contact list have already been reported.  
• Investigations are ongoing by ESDC (Employment and Social Development Canada), the CIO (Chief Information Officer) office, and 2Keys.  
• The breach is sparking conversations about more advanced authentication (e.g. biometric MFA) that do not rely solely on phone numbers or email addresses.  

Why This Matters: Risks & Implications

Even though the data stolen is relatively “light” (contact info), it still presents serious risks:

• Phishing & Social EngineeringAttackers may send targeted emails or SMS messages posing as government agencies, using known contact info to gain trust.
• Credential Replay / EnumerationWith your email or phone number, attackers may try to trick other services you use (banks, online accounts) via password resets or account recovery flows.
• SMS / Call Fraud / SIM Swap AttemptsKnowing your number helps attackers plan or attempt SIM swap attacks or impersonation efforts.
• Undermining Trust in MFA SystemsThis breach shows that even MFA layers are not invulnerable if ancillary data (phone, email) is compromised.
• Pressure for Stronger Authentication SystemsGovernments and institutions may accelerate adoption of biometrics, hardware tokens, or zero-knowledge approaches (where even service providers can’t see your secret).

What You Should Do Right Now

If you are a user of Canadian federal services or had your MFA set through 2Keys:

1. Monitor Your Accounts CarefullyKeep an eye on your CRA, ESDC, CBSA, or any government service accounts for unusual login attempts or notifications.
2. Be Highly Skeptical of Unsolicited MessagesTreat emails or SMS asking for verification, codes, or login data as potential attacks. Always verify via official channels (do not click links in suspicious messages).
3. Change Passwords & Use Strong MFA OptionsUse unique, strong passwords for your accounts. Where possible, switch MFA modes (e.g. from SMS to app, hardware tokens, or biometrics).
4. Limit Exposure of Your Phone & Email PubliclyAvoid using the same email or phone number across many services. Use alias emails or secondary numbers where possible.
5. Stay Informed of Official UpdatesWatch for announcements from 2Keys, ESDC, the Government of Canada, or relevant authorities about remediation steps.
6. Consider Professional Help if You See Suspicious ActivityIf you suspect fraudulent use or identity attacks, seek expert assistance.

How CIFDS Helps in Cases Like This

At CIFDS, we bring deep expertise in digital forensics, fraud detection, and liaison with authorities. In a lower-severity breach like this, or in cases where the breach is just the starting point, we can:

• Analyze Exposure & ImpactDetermine exactly which accounts or users were affected, how, and assess what risk remains.
• Trace Attack PathsMap how attackers gained access during the update, whether they moved laterally, or accessed any hidden logs or metadata.
• Support Recovery & MitigationHelp clients tighten MFA settings, reissue credentials, and limit the attack surface moving forward.
• Liaise with Government & Vendor TeamsAs a trusted partner, we can engage with 2Keys, government IT departments, and law enforcement to gather updates, demand accountability, and protect our clients’ interests.
• Educate & Harden DefensesWe advise on stronger authentication systems (e.g. biometrics, hardware tokens), threat awareness, and incident-response readiness for similar attacks in future.

Final Thoughts

This breach demonstrates a sobering truth: even the systems meant to protect us can fail. MFA is no longer a silver bullet—especially when the supporting data (phone numbers, email addresses) can be targeted.

For the average user, vigilance, layered defenses, and skepticism of every message you receive become more important than ever. For organizations, the lesson is clear: assume every component in your security stack is a potential targetand design for resilience and least exposure.

If you believe your information may have been compromised, or if you want help in assessing or responding to such an incident, CIFDS is here to support you—with clear analysis, direct action, and expert liaison.