Somewhere, right now, a computer is trying to log into your email account. It is not guessing. It already knows your password. It learned it from a breach you may not remember, at a website you may have forgotten you signed up for, sometime in the last decade. The computer is not impatient. It has 847 million other passwords to try today, and it works through them at roughly 200 per second.

You are not special. Neither is your bank account. Neither is your Aeroplan profile. You are a row in a text file.

This is credential stuffing, and it is the dominant form of account theft on the internet. Not the most dramatic — ransomware gets the headlines, state-sponsored espionage gets the think pieces — but the most common, the most industrial, and in its quiet way the most destructive. It stole $300,000 from Canadian sports bettors on a single November weekend in 2022. It compromised the tax returns, COVID benefit payments, and direct deposit information of 48,500 Canadians through the CRA in the summer of 2020. It reached into 6.9 million people's genetic ancestry data through 23andMe and found it particularly interesting when those people were Jewish or Chinese.

What makes it work is not skill. What makes it work is you.

A DIFFERENT KIND OF LOCK-PICK

Before explaining what credential stuffing is, it helps to say what it isn't.

A brute force attack is a criminal standing at your door trying every key in existence. One lock, infinite keys. Rate limiters and lockout policies will eventually stop it — after ten failed attempts, the system locks the account.

Password spraying is a criminal with a skeleton key that opens roughly 8 percent of doors. The word "Password1!" or "Summer2024" appears with depressing regularity in breach databases. One key, infinite doors. Stopped entirely if you're not using "Spring2025!" as your banking password.

Credential stuffing is different. It is a criminal who found your actual key. Not a guess. Your key. The one you used at the Shopify store that got hacked in 2018, or the fitness app that quietly disclosed a breach in 2021, or the entertainment site that stored 117 million passwords in plaintext and noticed the theft five years after it happened. The criminal did not crack or conjure that password. Someone stole it from somewhere else, put it in a file, sold that file, and now that criminal is trying it on your bank's login page, your Rogers account, your Air Miles profile.

This works because of a stubborn human behaviour: password reuse.

Sixty-six percent of people use the same password for multiple accounts. Not six. Sixty-six. A 2019 Google study of 3,419 respondents found that 13 percent of people use the same password for every account they own. If you are reading this in a room with other people, look around. One in eight of them is using the same password for their email, their bank, their credit card portal, their Netflix account, and their work VPN.

SpyCloud, a dark web intelligence firm, analysed its database in 2024 and found that 74 percent of users exposed in two or more breaches were still reusing the compromised password on other sites. Still using it. After the breach. After the notification email.

The raw material for credential stuffing is not synthetic. It is recycled from your own prior disasters.

At least 20 times the investment. Back. Every time. This is not the economics of desperate crime. This is the economics of a business.

THE AMMUNITION DUMP

A combo list is what its name implies: a text file combining usernames — usually email addresses — with their associated passwords.

glen.smith@gmail.com:Hockey97

One line. One login. One weapon.

These files exist because of data breaches, and there have been enough data breaches to supply an industrial operation at planetary scale. Troy Hunt is an Australian security researcher who has spent more than a decade cataloguing stolen credentials at HaveIBeenPwned.com. By early 2026, his database tracked over 963 breached organisations and more than 14 billion compromised accounts. In January 2024, a researcher discovered an aggregation called the Mother of All Breaches — 26 billion records in a single database, pulled from everything from LinkedIn (117 million records stolen in 2016, not disclosed until 2021) to Dropbox to a Chinese platform called Tencent that contributed 1.5 billion records on its own.

In June 2025, Cybernews reported a find of 16 billion passwords from infostealer malware — a different and increasingly important supply chain. Infostealers are malicious programmes installed on victims' computers that silently capture every password typed, every cookie stored, every saved credit card number, and upload the haul to a server. Lumma, RedLine, and Raccoon are the three most prevalent. They rent on a subscription basis for roughly $150 to $250 per month. By 2025, Vectra AI estimated that infostealers had stolen 1.8 billion credentials in that year alone — a 160 percent increase over 2024.

The credential market operates with the efficiency of a commodity exchange. Raw combo lists sell for pennies per thousand entries. Verified hits — accounts confirmed working on specific platforms — command $1 to $5 for streaming services, $120 to $250 for verified cryptocurrency exchange accounts, and up to $1,170 for a confirmed Kraken account with a balance. Medical records go for up to $500 each. A "fullz" — criminal shorthand for a complete identity package with name, Social Insurance Number, date of birth, address, and banking credentials — sells for $20 to $200 depending on credit score.

You get to be the raw material of a pricing schedule.

THE MACHINE

Understanding what credential stuffing looks like in practice requires understanding the tools. They are, in their way, impressive. Not in a good way. In the way a compound fracture is impressive.

SentryMBA was the dominant tool from roughly 2014 to 2018. Think of it as a credential-testing engine with a plugin architecture. Attackers downloaded config files — attack blueprints — that told the software exactly how a specific website's login page worked: where to POST the username, where to POST the password, how to grab the security tokens that prevent multiple form submissions, what a successful login response looks like versus a failed one. Config files circulated freely. Forum posts from that era show them trading for anywhere from free to $30.

OpenBullet 2, released in 2019, replaced SentryMBA as the industry standard and remains dominant today. It runs on Windows, Mac, and Linux. It has a visual, drag-and-drop interface for building attack configs — a Stacker editor where even technically inexperienced operators can assemble attack sequences by dropping blocks together like a criminal version of a children's coding game. The FBI referenced it by name in an official advisory, noting it ships with easy access to pre-built configs that work with residential proxies. YouTube tutorials for it have accumulated upwards of 58,000 views.

Other tools include SNIPR (supported over 100 pre-built configs, sold for $20 USD), BlackBullet (530-plus configs, $30 to $50 USD), and Private Keeper, which at one point sold in Russian-speaking forums for 49 rubles — less than one US dollar.

The tools are only part of the infrastructure. To avoid detection, attackers need proxies.

An IP address rate limiter will eventually block an attacker who hammers a login page from a single address. So attackers route their traffic through residential proxies: real computers in real homes, belonging to real people who have no idea their internet connection is being rented out. Your neighbour's laptop might be one of them. Your own phone might be one of them, if a particular app harvested your connection without disclosing it.

IPinfo.io tracked 170 million residential proxy IP addresses over 90 days in early 2026. The average residential proxy IP was only visible for 4.56 days before rotating. The industry's largest providers — Bright Data, formerly Luminati; Oxylabs; Smartproxy — supply millions of IPs through legitimate business models that serve both legal and illegal customers.

Then there are CAPTCHAs. The "I am not a robot" checkbox. The distorted letters. The "click all traffic lights" tests. Attackers solve these in bulk through services like 2Captcha, which routes challenges to human workers in low-wage countries and charges between $1 and $5 per thousand solutions. A newer service, CapMonster Cloud, uses AI to solve reCAPTCHA v2 challenges for approximately 60 cents per thousand. Running 1 million login attempts with full CAPTCHA bypass costs around $1,000 in solving fees. At a 1.5 percent success rate — the midpoint of the industry benchmark — that produces 15,000 compromised accounts.

One thousand dollars in. Fifteen thousand accounts out.

Recorded Future estimated in their credential stuffing economy report that a complete attack operation can be assembled for as little as $550 USD, with a projected minimum return of at least 20 times that investment. Most campaigns do substantially better. This is not the economics of desperate crime. This is the economics of a business.

THE MARKETPLACE

Where do confirmed accounts go after they're validated? The same places the credentials came from: dark web forums and dedicated criminal markets.

Genesis Market operated from 2018 until April 4, 2023. It sold not just credentials but entire bot fingerprints — packaged digital identities including saved cookies, browser settings, and IP history, which allowed buyers to log into compromised accounts in a way that appeared to fraud detection systems to be the original owner returning from a familiar device. It listed over 80 million account credentials from 1.5 million compromised computers. Individual bots sold for less than a dollar to over $300 depending on the richness of the victim's digital footprint. An international operation across 17 countries, led by the FBI and called Operation Cookie Monster, seized its servers and arrested 119 people.

Then BreachForums reopened.

BreachForums went through at least four incarnations between 2022 and the end of 2025. Its original administrator, Conor Brian Fitzpatrick — known online as "Pompompurin" — was arrested by the FBI in March 2023. ShinyHunters, a hacker collective, took it over. French authorities arrested four of their members in June 2025. A database of 324,000 BreachForums criminal user accounts was itself leaked in January 2026. The site continued to operate through multiple seizures and arrests because the underlying demand never went away.

Russian Market emerged in 2019 and remains the dominant marketplace for infostealer logs. By 2023, it hosted over 5 million stolen credential sets. In Q4 2024, Lumma malware accounted for 92 percent of the logs on the platform.

A 2025 pricing survey from DeepStrike documented current market rates. Bank login credentials with a $2,000 balance: $120 to $200 USD. PayPal accounts: $20 to $50 USD. Full identity packages: $20 to $200 USD. Government-issued ID scans: $15 to $30 USD. The prices are remarkably stable. Supply outpaces demand so thoroughly that bulk credentials have become a commodity.

WHO DOES THIS

The credential stuffing ecosystem spans a spectrum from organised crime syndicates to teenagers who watched too many YouTube tutorials.

ShinyHunters emerged in 2020 and over the following years leaked data affecting more than one billion people across dozens of breaches including Ticketmaster (560 million records) and Santander Bank. French national Sébastien Raoult was sentenced to three years in prison and ordered to pay over $5 million USD in restitution.

Scattered Spider — tracked by intelligence firms under the names UNC3944 and Octo Tempest — is composed primarily of English-speaking 19-to-22-year-olds in the United States and United Kingdom. They are responsible for the September 2023 MGM Resorts breach, which cost the casino company over $100 million USD, and the concurrent attack on Caesars Entertainment, which paid a $15 million USD ransom. They use credential theft combined with social engineering: calling IT help desks, impersonating employees, manipulating workers into resetting multi-factor authentication. Not technically sophisticated. Extremely effective.

LAPSUS$ breached Microsoft, Nvidia, Samsung, and Okta between 2021 and 2022. UK police arrested several members. Some were teenagers. The youngest was 16.

These groups are connected by a loose network of English-speaking financially motivated actors called "The Com," collaborating across Telegram and Discord. But most credential stuffing is done by none of them. It is done by individuals with no particular expertise, assembling the available tools, spending $550 USD, and making at least 20 times that back.

Kasada, a bot-detection firm, infiltrated 22 credential stuffing groups and reported that multi-factor authentication bypass services — human operators standing by to intercept authentication codes in real time — were available to group members for as little as $15 USD per attempt. The market has professionalised every friction point.

THE INCIDENTS, IN ORDER

What this machinery actually produces is best understood through specific disasters.

Disney+, November 2019

The streaming service launched on November 12. Within hours, thousands of accounts were hijacked and appearing on dark web forums for $3 to $11 USD each. The company said it was not a breach — and technically, that was accurate. The credentials came from everywhere else. Disney offered no multi-factor authentication at launch.

Nintendo, April–June 2020

The legacy Nintendo Network ID system required a minimum of just 6 characters for passwords and offered no two-factor authentication. Three hundred thousand accounts were compromised. Fraudulent purchases were charged to saved payment methods. The attack was enabled by infrastructure Nintendo had not bothered to update.

Zoom, April 2020

As the world moved its meetings and schools and therapy sessions onto Zoom — growing the platform from 10 million to over 300 million daily users — the cybersecurity firm Cyble discovered and purchased 530,000-plus compromised Zoom accounts on hacker forums for $0.002 USD each. Credentials from Chase Bank, Citibank, and multiple universities were among the accounts, reused by employees and students who also happened to have Zoom accounts.

Canada Revenue Agency, August 2020

This one is worth slowing down for.

In August 2020, the CRA announced that 48,500 Canadian tax accounts had been compromised in credential stuffing attacks exploiting the GCKey authentication system. Attackers already possessed the usernames and passwords — harvested from prior breaches elsewhere — and GCKey, due to a misconfiguration that had existed for 20 months, was not properly enforcing its security question requirements.

Direct deposit information was changed. COVID-19 CERB payments were redirected to attackers. Benefit applications were fraudulently submitted. Tax refunds were intercepted.

The Privacy Commissioner's Special Report, released in February 2024 after a three-and-a-half-year investigation, found that both the CRA and Employment and Social Development Canada had contravened the Privacy Act. The misconfiguration had been sitting there since December 2018 — through a federal election, through the beginning of a global pandemic — and nobody had noticed.

Federal Budget 2021 allocated $330.6 million over five years for CRA cybersecurity. A class-action lawsuit — Sweet v. HMK — has a settlement hearing scheduled for March 31, 2026.

Forty-eight thousand five hundred Canadians. Twenty months of open door.

DraftKings, November 2022

Over a single weekend, attackers compromised 67,995 DraftKings customer accounts and stole up to $300,000 USD. The mechanism was methodical: make a small $5 deposit to confirm payment method availability, change the account password, add two-factor authentication tied to a phone the attacker controlled, then withdraw. DraftKings reimbursed all affected customers. A teenager named Joseph Garrison later pleaded guilty. He was sentenced to 18 months in prison in January 2024.

PayPal, December 2022

Between December 6 and 8, a 48-hour credential stuffing attack compromised 34,942 accounts, exposing Social Security numbers, dates of birth, and transaction histories. PayPal settled with the state of New York for $2 million USD in civil penalties.

Norton LifeLock, December 2022

Attackers used credential stuffing to break into the accounts of a cybersecurity company's customers — the same company selling the proposition that it would protect those customers from exactly this kind of attack. Norton locked 925,000 accounts and confirmed that over 6,500 Norton Password Manager users had been breached. If those users had reused their Norton account password as their Password Manager master password, attackers had the keys to every account those users stored.

Think about that for a moment.

Chick-fil-A, December 2022 to February 2023

A two-month sustained attack compromised 71,473 loyalty accounts. Compromised accounts, with their gift card balances and stored payment methods, sold on Telegram for $2 to $200 USD each depending on available balance.

23andMe, April to October 2023

The attack on 23andMe began with direct credential stuffing against roughly 14,000 accounts. What made it catastrophic was the company's DNA Relatives and Family Tree features, which created a web of connections between accounts. By following those connections, the attacker — using the handle "Golem" — reached data on 6.9 million users without ever logging into their accounts. According to a February 2025 academic analysis of the breach, a single account was logged into over one million times in a single day in July 2023.

Data on Ashkenazi Jewish and Chinese descent users was specifically targeted and packaged for sale. Approximately 320,000 Canadians were among those affected.

A $50 million USD settlement was proposed, plus a separate $3.5 million Canadian settlement. The UK's Information Commissioner's Office fined the company £2.31 million specifically because it had failed to protect against credential stuffing. 23andMe filed for bankruptcy in March 2025 and was sold for $305 million USD in June of that year. The people who bought the company paid less for it than the cost of a mid-sized apartment complex.

Roku, January and April 2024

Two attacks. A combined 591,000 compromised accounts. In fewer than 400 cases, attackers made unauthorised purchases of streaming subscriptions and hardware using stored payment information. Roku responded by mandating two-factor authentication for all 80 million-plus accounts.

THE SCALE NOBODY TALKS ABOUT

Individual incidents make for graspable stories. They have victims and perpetrators and dollar figures. The aggregate scale is something else entirely.

Okta processes authentication for thousands of organisations. In the first 90 days of 2022, it recorded nearly 10 billion credential stuffing events. That was 34 percent of all authentication traffic on its platform, up from 16.5 percent the previous year. On peak days, credential stuffing reached 44 percent of all Okta authentication attempts. Auth0, an Okta subsidiary, has reported that nearly half of all daily login requests on its platform are credential stuffing attempts.

Akamai recorded 193 billion credential stuffing attempts across its network in 2020. By 2024, the global volume had reached approximately 26 billion attempts per month.

The Verizon 2025 Data Breach Investigations Report found that 22 percent of all confirmed breaches began with stolen credentials. IBM's 2024 Cost of a Data Breach Report calculated the average cost of a breach involving stolen credentials at $4.81 million USD, with a mean detection timeline of 292 days — nearly ten months from intrusion to containment. Akamai documented a single credential stuffing campaign that cost one financial institution between $550,000 and $55 million USD, depending on how indirect costs were accounted for.

These are not hacks in the dramatic sense of the word. No exotic vulnerabilities exploited. No sophisticated malware installed. Someone tried your password at your bank's login page, at scale, for very little money, and usually did not get caught.

The machines are not impatient. They have 847 million other passwords to try today.

WHAT STOPS IT — FOR ORGANISATIONS

The single most effective countermeasure is also the simplest: multi-factor authentication.

Microsoft's security engineer Alex Weinert published in August 2019 that MFA makes accounts more than 99.9 percent less likely to be compromised, based on analysis of 300 million fraudulent sign-in attempts per day against Microsoft cloud services. Google required all 85,000-plus employees to use physical security keys starting in early 2017. Since implementation: zero confirmed account takeovers due to credential theft. The FBI and the Cybersecurity and Infrastructure Security Agency explicitly recommend hardware keys as the gold standard.

Not all MFA is equal. SMS-based two-factor authentication is vulnerable to SIM swapping, interception, and real-time relay attacks. The American National Institute of Standards and Technology classifies SMS as a RESTRICTED authenticator. Time-based authenticator apps — Google Authenticator, Microsoft Authenticator, Authy — are substantially better. Hardware security keys are best.

The second most important control is checking submitted passwords against breach databases. The National Institute of Standards and Technology's SP 800-63B Revision 4, published in August 2025, now requires this. Troy Hunt's Have I Been Pwned Pwned Passwords API handles over 18 billion requests per month, using a technique called k-anonymity that lets a system check whether a password has appeared in a breach without ever transmitting the actual password. If a user is about to set a password that exists in a breach database, the system rejects it before any attacker has the chance.

Beyond that, organisations deploy bot detection platforms that analyse traffic characteristics no human observer could monitor: TLS fingerprints, behavioural patterns, mouse movement, typing cadence, browser characteristics. HUMAN Security verifies over 15 trillion internet interactions per week across 3 billion devices. F5 Distributed Cloud Bot Defence — whose underlying technology F5 acquired from Shape Security for approximately $1 billion USD in January 2020 — protects 1.3 billion user accounts and claimed to have prevented over $1 billion USD in fraud losses in a single year.

WHAT STOPS IT — FOR INDIVIDUALS

One habit eliminates the threat. One.

Use a different password for every account you own.

That is all. If your Netflix password appears in a breach, it cannot be used to log into your bank because they have different passwords. Credential stuffing ends there. The reason most people don't do this is obvious: memorising sixty unique, complex passwords is impossible. Password managers solve this entirely. You memorise one master password — strong, unique, memorable — and the software generates, stores, and auto-fills a unique random password for every other site.

Recommended managers: 1Password (founded in Ontario; $2.99/month USD) uses AES-256 encryption plus a unique Secret Key and includes a Travel Mode for border crossings. Bitwarden is open-source, free in its basic tier, self-hostable, and has been fully audited by third-party security researchers. Dashlane at $4.99/month USD includes dark web monitoring. KeePass is completely free and entirely offline.

The next generation of defence is passkeys. They use public-key cryptography: when you create a passkey for a site, a unique cryptographic key pair is generated for that specific site. The private key never leaves your device. Nothing reusable is ever transmitted. There is nothing to steal, reuse, or stuff. Apple, Google, and Microsoft have all committed to passkeys as their default authentication method. The FIDO Alliance reported in October 2025 that passkeys achieve a 93 percent login success rate versus 63 percent for traditional authentication.

Hardware security keys are available today. The YubiKey 5 Series, ranging from $50 to $80 USD, supports FIDO2, WebAuthn, and smart card protocols, working with over 300 services. The Google Titan Security Key runs $30 to $35 USD. With a hardware key, an attacker who has your password still cannot log in without physically possessing the key.

Check whether your accounts have been compromised at haveibeenpwned.com. It is free. It requires no account. You type your email address and it tells you every breach it has ever appeared in. Canadian users should know that over 207.4 million accounts associated with Canadian individuals have appeared in data breaches since 2004. Canadians also average 15 password reuses per password. That is the highest rate of any country studied.

That last statistic should bother you if you live here.

IF IT'S ALREADY HAPPENED

You come home and there is a purchase confirmation in your inbox for something you did not buy. Or your bank calls about a transfer you did not authorise. Or your Netflix password suddenly does not work.

Move immediately. Do not wait to be certain.

Change the compromised password. Then identify every other account where you used the same password — every single one — and change those too. Enable multi-factor authentication everywhere, starting with your email. Email is the master key: an attacker who controls your inbox can reset every other password you own.

Check your account recovery settings. Attackers commonly add a secondary email address or phone number before locking out the original user. Remove anything you did not add.

Look at your loyalty programme balances. Aeroplan points, Scene+ points, Tim Hortons credits — all of these have real cash value and all of them are targeted.

In Canada, report to the Canadian Anti-Fraud Centre at 1-888-495-8501 or online at reportcyberandfraud.canada.ca. The CAFC's own annual report estimates that only 5 to 10 percent of fraud victims actually report incidents. If you believe your Social Insurance Number has been compromised, call Service Canada at 1-866-274-2267. Place fraud alerts with Equifax Canada (1-800-465-7166) and TransUnion Canada (1-800-663-9980).

A note on credit freezes: Canadians do not have the same credit freeze rights Americans do. A credit freeze — which prevents any new credit accounts from being opened in your name — is a legal right only in Quebec, under the Credit Assessment Agents Act. In other provinces, you can request fraud alerts but cannot flatly prohibit new credit from being issued. This is a gap in Canadian consumer protection.

If the breach involves a federal government account — CRA, Service Canada, EI, CERB — contact the relevant agency and escalate to the RCMP's National Cybercrime Coordination Centre, accessible through the CAFC.

File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca if you believe an organisation failed to protect your data.

THE LAW

Canadian Criminal Code Section 342.1 — the primary statute — covers everyone who fraudulently obtains computer services, intercepts computer functions, or uses, possesses, or traffics in a computer password. Maximum penalty for an indictable offence: 10 years. Section 342.1(d) specifically criminalises possessing or trafficking in passwords, directly applicable to credential stuffing operations. Section 342.2, covering possession of devices designed for unauthorised computer access — which describes tools like OpenBullet precisely — carries a maximum of two years. Section 380 covers fraud over $5,000: up to 14 years.

Under PIPEDA's mandatory breach notification requirements, in force since November 1, 2018, organisations must report any breach creating a real risk of significant harm to the Office of the Privacy Commissioner as soon as feasible and notify affected individuals. Penalties reach $100,000 CAD per violation. Quebec's Law 25, now fully in force, adds administrative fines up to C$10 million or 2 percent of worldwide turnover, and penal fines up to C$25 million or 4 percent of worldwide turnover.

In the United States, the Computer Fraud and Abuse Act allows for up to 10 years on a first offence and 20 years for repeat offenders. Joseph Garrison, the teenager who stole $300,000 USD from DraftKings customers, received 18 months. Sébastien Raoult of ShinyHunters received 3 years.

Enforcement has historically been more aggressive against victim companies than perpetrators. The New York Attorney General fined Dunkin' Donuts $650,000 USD in 2020. PayPal paid $2 million USD to New York in 2023. The UK Information Commissioner's Office fined 23andMe £2.31 million specifically for failing to protect against credential stuffing.

The theory is deterrence through corporate liability. Punish the organisations until they build the defences. So far, the theory is working about as well as you might expect.

WHAT REMAINS

Credential stuffing is, at its foundation, a tax on password reuse — and like most taxes, it is paid disproportionately by people who can least afford it. The person who loses $300 in Aeroplan points does not have a fraud department to call. The person who had their CERB payment redirected during a pandemic — already out of work, already scared — spent months trying to prove to the CRA that someone else had cashed their cheque.

The tools to stop this exist. A password manager costs $36 a year or nothing. An authenticator app is free. HaveIBeenPwned is free. The CAFC hotline is free. Passkeys are built into your phone already.

The gap between what would stop this and what most people are actually doing is not a technology gap. It is not even a knowledge gap, exactly. It is the gap between knowing something is true and doing something about it before the account lockout email arrives.

That gap is what the machine is counting on. It is a very small gap. The machine has a great deal of time.

BEHIND THE STORY

This article is drawn entirely from publicly available sources including court records; official releases from the Office of the Privacy Commissioner of Canada, the CRA, and the Treasury Board of Canada Secretariat; FBI advisories; and FTC enforcement actions. Security data comes from industry threat reports published by Verizon (2025 DBIR), SpyCloud (2025 and 2026 Identity Exposure Reports), Akamai, IBM, Ponemon Institute, Imperva, F5 Labs, Recorded Future, Kasada, Okta, and HUMAN Security. Incident reporting sourced from Bleeping Computer, The Record, SecurityWeek, CPO Magazine, and Keeper Security. Dark web intelligence from Cybernews, Darknet.org.uk, and DeepStrike. Legal framework from the Department of Justice Canada, the Privacy Commissioner of Canada, McCarthy Tétrault, and Baker McKenzie. Credential pricing data from DeepStrike's 2025 published survey.

All statistics are sourced as cited. No law enforcement sources were contacted. No dark web forums were accessed.

The 23andMe one-million-login figure is drawn from an academic analysis published on arXiv in February 2025 (arXiv:2502.04303) and was not part of the company's official breach disclosure. The Canadian settlement in the 23andMe matter has been proposed but not finalised as of publication. The Sweet v. HMK class-action settlement hearing is scheduled for March 31, 2026.

Readers who believe their accounts may have been compromised are encouraged to visit haveibeenpwned.com and getcybersafe.gc.ca, and to contact the Canadian Anti-Fraud Centre at 1-888-495-8501 or at reportcyberandfraud.canada.ca.

© The Media Glen Publishing / Synexmedia.com