TurboTax Users Hit by Credential Stuffing Attack

Written by

Users of popular tax preparation software TurboTax have been hit by a credential stuffing attack, the latest in a wave of similar raids using compromised credentials.

Financial software maker Intuit sent a letter to affected customers, a copy of which was filed with the Office of the Vermont Attorney General.

“Based on our investigation, it appears an unauthorized party may have accessed your account by using your username and password combination that was obtained from a non-Intuit source,” it read.

“By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (eg salary and deductions), and information of other individuals contained in the tax return.”

As the letter revealed, accounting software can be a lucrative target for hackers given the wealth of sensitive personal and financial information stored in accounts. In this case, tax details could be used to commit IRS fraud.

The most popular tactic until recently was to file a fraudulent tax return using a stolen identity early in the filing season with the aim of getting a refund sent out before the real taxpayer had filed their return.

Hackers have also in the past been spotted impersonating tax software providers in a bid to steal log-ins from tax preparation professionals. Now it seems they’re going straight to the taxpayers’ online accounts.

In the meantime, Intuit said it has made the accounts of affected users temporarily unavailable and urged them to switch on two-factor authentication (2FA), as well as immediately change their passwords. The firm is also offering a year’s free credit monitoring and identity protection.

This is the latest in a string of credential stuffing attacks this year, with firms as diverse as Daily Motion, Reddit and OkCupid affected.

Ping Identity chief customer information officer, Richard Bird, argued that firms are failing to protect their users’ identities.

“It is highly unlikely, after all these years of trying to educate customers to use unique account names and passwords across their service providers, that those behaviors are going to miraculously change,” he added.

“Companies must, and will be demanded, to come to the table with better securitization methods for their customers. Multi-factor authentication is the beginning of security in the customer access control space. Unfortunately the vast majority of companies haven't even made it to the starting line of securing their customers’ identities.”

What’s hot on Infosecurity Magazine?