Intuit, a financial software company discovered that tax return information was accessed by an unauthorized individual or group after a number of TurboTax preparations software accounts were breached.
The TurboTax preparations software accounts were breached in a credential stuffing attack. Credential stuffing is a type of cyber attack where stolen credentials are used to gain access to user accounts. An attacker may use password/username information obtained from a prior breach and use that information and other information about the victim to gain unauthorized access to other accounts.
In this instance, Intuit, who is the developer of the TurboTax software suite has their accounts breached by an attacker using credentials they got from elsewhere. Inuit has issued a breach notification with the Vermont Attorney General, as is required by law. Affected users are being notified about the issue and in the meantime, the affected accounts have been disabled.
Based on our investigation, it appears an unauthorized party may have accessed your account by using your username and password combination that was obtained from a non-Intuit source. The unauthorized access occurred [on/from] [date/date range]. By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g._ salary and deductions), and information of other individuals contained in the tax return.
Inuit has not yet disclosed the number of breached accounts but their notice does disclose that the users reside in Maryland, Massachusets and North Carolina. At this point, it is just speculation, but the breach does have the potential to be significant since TurboTax is a very popular software package whose existence has spanned two decades. It is estimated that TurboTax is used by around 36 million taxpayers annually.
If you are a TurboTax user who has lost access to your account, you may be one of those affected by the breach. To reactivate your account you have to contact Intuit on their customer care line 1-800-944-8596 and say “Security” when promoted. This will then trigger a customer service employee to walk you through an identification process to help reinstate your account.
We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information.
Intuit has been the victim of credential stuffing attacks twice in the past, once on 02/01/2014 and on 02/27/2015. These have been filed with the Office of the California Attorney General.