Intuit, the company behind tax preparation software TurboTax, said users' accounts may have been accessed by an unauthorized party.
Threat actors used usernames and password combinations obtained from a non-Intuit source after an undisclosed number of TurboTax accounts were breached in a credential stuffing attack.
Tax returns from the prior year, current tax returns in progress, names, social security numbers, addresses, dates of birth, driver’s license numbers and financial information such as salaries and deductions were compromised, according to the notification.
Intuit temporarily made the accounts of those unavailable and to protect their information from further unauthorized access and to help protect users, are offering a year of free identity protection, credit monitoring and identity restoration services.
The breach was discovered in a security audit of its systems in the TurboTax data breach notification that was filed with the Office of the Vermont Attorney General.
Adam Laub, senior vice president of product management, STEALTHbits Technologies warns those that use the same password across different sites, you’re ripe for the picking.
“Credential stuffing ceases to be a viable attack technique when users leverage different, unique passwords across the various sites and services they log into,” Laub said. “However, our innate desire to remember as little information as possible in an age where all the information we may ever want to recall is literally at our fingertips continues to drive the use of the same username and password combination to everything we access, from our bank accounts and medical records to of course our tax returns.”
Laub explained that with just an ounce more effort and the use of any password management tool, this particular attack technique could become completely useless but until then we will continue to see these kind of attacks more often. Intuit has not yet responded to SC Media's request for comment.
Intuit provided the following statement concerning the incident.
"To be wholly clear, there was no data breach of Intuit’s systems or any third party accessing Intuit systems.
The notice referenced in a recent blog post is a notification Intuit sent to Vermont informing of Intuit discovering what it believes is unauthorized access of a customer’s account as a result of a fraudulent account log-in – an Account Takeover, not a data breach of Intuit. This notice is standard communication between Intuit and states and does not constitute notice of a systemic data breach.
After discovering what we believe is unauthorized access to an individual’s account, we conducted an investigation and took steps to secure our customers’ accounts and information. We believe a third party used legitimate log-in credentials that were obtained from non-Intuit sources and used them to access an Intuit account. As someone in your field knows, an individual’s account login information may have been acquired from any number of sources other than Intuit.
The security of our products and our customers’ data is a top priority and we continue to invest in security and fraud protection, including:
o Providing Suspicious Activity Reports for additional investigation based on risk scoring.
o Developing third-party partnerships to provide knowledge-based authentication
o Validating IP addresses to look for discrepancies in IP addresses and block high-risk transactions from suspect geographies
o Implementing multi-factor authentication that requires customers to validate their identity in multiple ways to reduce the possibility of tax refund fraud.
o Creating an end-to-end fraud resolution process to assist affected customers in resolving fraud and restoring their identity.
o Linking federal and state returns and requiring them to be filed simultaneously."