TurboTax Breach Caused by Credential Stuffing - Identity Theft Resource Center
  • Facebook
  • Twitter
  • Instagram
  • Youtube
  • Linkedin
  • Pinterest
  • Rss
Identity Theft Resource Center
  • I Need Help
    • Help Center
    • COVID-19 Resources
  • Resources
    • Notified Data Breach Dashboard
    • Podcasts
    • Webinars
    • Latest News
    • Trainings
    • Newsletter Sign-up
  • About ITRC
    • Mission
    • Key Staff
    • Board of Directors
    • Media
    • Sponsors and Partners
  • Contact
  • Search
  • Menu
Blog - Latest News
Data Breaches

TurboTax Breach Caused by Credential Stuffing

Intuit has announced that its consumer-centric TurboTax software has suffered a security breach. Credential stuffing practices, allowed thieves to access users’ accounts for popular online tax service. Similar events in 2014 and 2015 led to the compromise of a number of users’ accounts, and now another event has compromised untold numbers of users’ tax returns.

The method of attack was nearly identical to the previous events. Using a tactic known as “credential stuffing,” hackers were able to access the complete identities of undisclosed numbers of users by gaining access to their accounts and looking up their previously filed tax returns. Credential stuffing occurs when hackers use information that was garnered from a different source—such as a separate data breach of an unrelated company—to test out the credentials in other places.

For example, if there’s a data breach of a bank or retailer that you use, your username and password that were stolen in that breach will be tested out on other websites. The entire database of compromised information, sometimes millions of separate entries, will be tried automatically. With many stolen consumer records to choose from, the chances that some of those credentials will work on one or more other websites are very, very high.

That is exactly what happened with the TurboTax breach. Any clients who reused their usernames and passwords from a previously breached site accidentally handed access to their TurboTax accounts—and therefore, their tax returns and complete identities—to the hackers.

Intuit has already filed a notice of the TurboTax breach with the Vermont attorney general’s office and has begun notifying affected customers. You will receive notice via email if your account was compromised. According to US law, Intuit must provide a number of services to those customers, including a year of free credit monitoring. It is important that you follow the instructions in the notification in order to unlock your TurboTax account and take advantage of the tools the company is offering to protect you from further harm.

More importantly, this event stands as yet another dire warning to consumers. Whether a consumer was impacted by this breach or not, they need to stop reusing passwords on multiple websites. Credential stuffing is easy to accomplish, regardless of the criminal’s level of technology know-how. Entire databases of compromised records are available for sale on the dark web, meaning anyone with the means can simply purchase login credentials and use them to steal information from other accounts. Keep your passwords long and unguessable, change them routinely to avoid situations just like this one, and make sure you are not reusing your passwords on multiple sites.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

February 25, 2019/by Alex Hamilton
Tags: Blog, Credential Cracking, credential stuffing, data breach, intuit breach, login credentials, password hacking, security breach, SF, turbo tax, turbo tax breach
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on Google+
  • Share on Pinterest
  • Share on Linkedin
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
https://www.idtheftcenter.org/wp-content/uploads/2019/02/TurboTax_Security_IdentityTheft.png 532 776 Alex Hamilton https://www.idtheftcenter.org/wp-content/uploads/2018/06/32smWideLogo_edited-1-300x71.png Alex Hamilton2019-02-25 16:19:182020-06-16 11:40:47TurboTax Breach Caused by Credential Stuffing

DOWNLOAD TODAY

ID Theft Video Playlist

PreviousNext
12

GET ID THEFT NEWS

Stay informed with alerts, newsletters, and notifications from the Identity Theft Resource Center

?

  • Facebook
  • Twitter
  • Instagram
  • Youtube
  • Linkedin
  • Pinterest
  • Rss

SIGN UP FOR OUR NEWSLETTER!

Contact

1-888-400-5530
itrc@idtheftcenter.org
3625 Ruffin Road #204
San Diego, CA 92123

QUICK LINKS

  • I Need Help
  • Resources
  • About ITRC
  • Impact Report
  • Privacy Policy
  • Form 990
© Copyright 2020 - Identity Theft Resource Center
This product was produced by Identity Theft Resource Center and supported by grant number 2014-XV-BX-K003, awarded by the Office for Victims of Crime, Office of Justice Programs, U.S. Department of Justice. The opinions, findings, and conclusions or recommendations expressed in this product are those of the contributors and do not necessarily represent the official position or policies of the U.S. Department of Justice.
Formjacking: The Latest Threat to Paying Online ITRC_Formjacking_Computer_OnlinePayment Travel Safe with These Cybersecurity Protection Tips Scroll to top