Tax Returns Exposed in TurboTax Credential Stuffing Attacks

Written by Sergiu Gatlan / Courtesy of Bleeping Computer

Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack.

A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

In the notice of data breach sent to the TurboTax users impacted by this security breach incident, Intuit says that:

Based on our investigation, it appears an unauthorized party may have accessed your account by using your usemame and password combination that was obtained from a non-Intuit source. The unauthorized access occurred [on/from] [date/date range]. By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g._ salary and deductions), and information of other individuals contained in the tax return.

Intuit also states that the breach was discovered during a security review of its systems in the TurboTax data breach notification which was filed with the Office of the Vermont Attorney General.

Following the discovery of the security breach, Intuit decided to temporarily disable the TurboTax accounts which were breached in the credential stuffing attack.

TurboTax users who had their accounts temporarily deactivated have to contact Intuit using the company’s Customer Care department at 1-800-944-8596 and say “Security” when prompted, after which Intuit employees will walk them through an identity verification procedure designed to help them reactivate their accounts.

To re-enable their accounts, TurboTax customers can also e-mail Intuit at TTaxInvestigations@intuit.com for further details on what steps they need to go through to reinstate their accounts.

Intuit also said that:

We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information.

The company also provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to customers impacted by the data breach to further protect their TurboTax accounts.

Intuit’s TurboTax was previously breached and customer tax return information was leaked after two other credential stuffing attacks on 02/01/2014 and 02/27/2015 according to a data breach notice filed with the Office of the California Attorney General on 04/06/2015.

BleepingComputer has reached out to Intuit for further information on the breach dates and the number of accounts impacted in the event but had not heard back at the time of this publication. This article will be updated when a response is received.

Update 2/24/19: Intuit issued the following statement to BleepingComputer:

To be clear, there was no data breach of Intuit’s systems or any third party accessing Intuit systems.

The notice referenced in your post is a notification Intuit sent to Vermont informing of Intuit discovering what it believes is unauthorized access of a customer’s account as a result of a fraudulent account log-in – an Account Takeover, not a data breach of Intuit. This notice is standard communication between Intuit and states and does not constitute notice of a systemic data breach.

After discovering what we believe is unauthorized access to an individual’s account, we conducted an investigation and took steps to secure our customers’ accounts and information. We believe a third party used legitimate log-in credentials that were obtained from non-Intuit sources and used them to access an Intuit account. As someone in your field knows, an individual’s account login information may have been acquired from any number of sources other than Intuit.

The security of our products and our customers’ data is a top priority and we continue to invest in security and fraud protection, including:

Providing Suspicious Activity Reports for additional investigation based on risk scoring.

Developing third-party partnerships to provide knowledge-based authentication

Validating IP addresses to look for discrepancies in IP addresses and block high-risk transactions from suspect geographies

Implementing multi-factor authentication that requires customers to validate their identity in multiple ways to reduce the possibility of tax refund fraud.

Creating an end-to-end fraud resolution process to assist affected customers in resolving fraud and restoring their identity.

Linking federal and state returns and requiring them to be filed simultaneously.

Intuit also posts security best practices and other information on our Online Security Center that can be found at www.security.intuit.com.

One of our top priorities is to help ensure the privacy and security of our customers’ information. Toward that end, we offer identity protection and credit monitoring services to any affected customers free of charge for one year.