Intuit has announced that its consumer-centric TurboTax software has suffered a security breach. Credential stuffing practices, allowed thieves to access users’ accounts for popular online tax service. Similar events in 2014 and 2015 led to the compromise of a number of users’ accounts, and now another event has compromised untold numbers of users’ tax returns.
The method of attack was nearly identical to the previous events. Using a tactic known as “credential stuffing,” hackers were able to access the complete identities of undisclosed numbers of users by gaining access to their accounts and looking up their previously filed tax returns. Credential stuffing occurs when hackers use information that was garnered from a different source—such as a separate data breach of an unrelated company—to test out the credentials in other places.
For example, if there’s a data breach of a bank or retailer that you use, your username and password that were stolen in that breach will be tested out on other websites. The entire database of compromised information, sometimes millions of separate entries, will be tried automatically. With many stolen consumer records to choose from, the chances that some of those credentials will work on one or more other websites are very, very high.
That is exactly what happened with the TurboTax breach. Any clients who reused their usernames and passwords from a previously breached site accidentally handed access to their TurboTax accounts—and therefore, their tax returns and complete identities—to the hackers.
Intuit has already filed a notice of the TurboTax breach with the Vermont attorney general’s office and has begun notifying affected customers. You will receive notice via email if your account was compromised. According to US law, Intuit must provide a number of services to those customers, including a year of free credit monitoring. It is important that you follow the instructions in the notification in order to unlock your TurboTax account and take advantage of the tools the company is offering to protect you from further harm.
More importantly, this event stands as yet another dire warning to consumers. Whether a consumer was impacted by this breach or not, they need to stop reusing passwords on multiple websites. Credential stuffing is easy to accomplish, regardless of the criminal’s level of technology know-how. Entire databases of compromised records are available for sale on the dark web, meaning anyone with the means can simply purchase login credentials and use them to steal information from other accounts. Keep your passwords long and unguessable, change them routinely to avoid situations just like this one, and make sure you are not reusing your passwords on multiple sites.
Read next: The How and Why of Tax Identity Theft