Credential Stuffing By only relying on a single authentication factor, not doing any risk base authentication (ex: known device for authentication) and user’s negligence (leveraging same username and password across multiple sites) the threat agent was potentially able to: • Impersonate a user and change his personal information (banking information, address, security question and answers, etc.); • Apply for Employment Insurance (when CERB wasn’t available); • Apply for Canada Emergency Response Benefit through CRA Linkages; • Change the banking information of pensioners; • Apply for Grants; • Submit Record of Employment for given social insurance numbers; • Change employers contact information.