Canada Post says it is resetting passwords for all online customer accounts after a report that some personal information may have been compromised in 2017.
The postal service says that login names and passwords stolen in privacy breaches elsewhere may have been used to access Canada Post accounts if customers reused their login credentials on multiple sites.
It maintains that the form of access, known as credential stuffing, does not constitute a breach of the Canada Post system.
“There has not been a cyberattack or hack of the Canada Post network,” it said in a release.
Canada Post spokesman Philipe Legault said customers provide their address along with login info when setting up accounts to track packages and other services.
He said that after an initial investigation the postal service believes the number of people affected is small, and affected users have already been contacted. He said Canada Post isn’t releasing the suspected number of people affected while a third party investigates further.
“While this is not a breach of the Canada Post network, we understand our obligation to our customers and all Canadians to keep their information safe,” the corporation said in an email to customers. “We will be reviewing our policies and procedures to determine how we can continue to improve the security of our online platforms.”
In a separate incident, Canada Post said last November that someone had used its delivery tracking tool to gain access to personal information of 4,500 customers of the Ontario Cannabis Store but declined to identify the information.