TurboTax Hit with Credential Stuffing Attack, Tax Returns CompromisedTurboTax Hit with Credential Stuffing Attack, Tax Returns Compromised
Officials report an unauthorized party obtained tax return data by using credentials obtained from an outside source.
February 26, 2019
Update 2/26/2019: This article has been updated to reflect new information regarding the TurboTax incident.
Intuit, a financial software company and creator of services Mint, QuickBooks, and TurboTax, reports the latter has been hit with a credential stuffing attack targeting specific users' tax return information.
The incident was discovered during a system security review, Intuit reported in a breach disclosure letter filed with the Office of the Vermont Attorney General and shared with affected users. Officials explain how an unauthorized party targeted specific TurboTax users by taking usernames and passwords "from a non-Intuit source," which they used in a credential stuffing attack.
If their login was successful, attackers may have accessed data contained in a prior year's tax return or current tax returns in progress. This includes name, Social Security number, address(es), birthdates, driver's license number, and financial data (salary, deductions), as well as information belonging to other individuals included in the victim's tax return, they report.
Upon discovering the problem, Intuit made affected accounts temporarily unavailable to protect data from further unauthorized access. It's offering victims one year of free identity protection, credit monitoring, and identity restoration services via Experian IdentityWorks.
Update: Intuit has issued a statement to emphasize there has been no breach of its systems, and the incident described in the notification letter is related to unauthorized access of specific accounts.
Read more details here.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
2021 Banking and Financial Services Industry Cyber Threat Landscape Report
2021 Gartner Market Guide for Managed Detection and Response Report