TurboTax accounts breached in credential stuffing attack exposing users’ tax return information

Financial software company Intuit recently learned that TurboTax account users’ tax return information was compromised in a credential stuffing attack. In a security notice, Intuit disclosed that an unauthorized party accessed TurboTax accounts by using the username-password combination obtained from a non-Intuit source.

Why it matters – The unauthorized party who gained illegal access to TurboTax user accounts obtained information contained in previous year’s tax return or current tax return in progress.

  • The exposed information includes users’ names, Social Security numbers, addresses, dates of birth, driver’s license numbers.
  • The compromised information also included users’ financial information such as salary and deductions.

Worth noting – The financial software company learned about the incident while conducting a security review of its systems.

“In an effort to protect our customers’ personal information, we conducted a review of all customer accounts late last month. Our review identified that your TurboTax account may have been accessed by someone other than you,” the consumer notification letter read.

  • Upon learning about the incident, Intuit temporarily disabled the impacted TurboTax accounts.
  • The company has reset breached TurboTax accounts’ passwords.
  • The company started investigating the incident and notifying the potentially affected users.
  • Intuit is offering potentially affected users with one-year free credit monitoring, identity protection, and identity restoration services.

“We’ve made your TurboTax accounts temporarily unavailable to protect your information from further unauthorized access. To help protect you, we’re offering one year of free identity protection, credit monitoring, and identity restoration services through Experian IdentityWorks, provided by our credit-monitoring partner Experian,” the security notice read.

What you should do – Intuit has requested its users to do the following in order to protect their information.

  • The financial software company has suggested its users place a 90-day security alert on their credit file in order to avoid further chances of identity theft.
  • The company has recommended its users to place a security freeze on their credit files which will prevent others from accessing their credit report.
  • It has recommended its users to receive their credit reports and review them thoroughly.
  • It has further recommended users to review their bank, credit card, and other account statements and in case of any suspicious activities, immediately report them.

Leave a Reply

Your email address will not be published. Required fields are marked *