Credential stuffing attacks struck an undisclosed number of TurboTax accounts. Credentials came from an unknown, non-Intuit source.
Password reuse continues to be a problem that isn't going away soon, even as breach awareness heightens.
Intuit, the company behind tax preparation software TurboTax, said users’ accounts may have been accessed by an unauthorized party. Threat actors used usernames and password combinations obtained from a non-Intuit source after an undisclosed number of TurboTax accounts were breached in a credential stuffing attack. Tax returns from the prior year, current tax returns in progress, names, social security numbers, addresses, dates of birth, driver’s license numbers and financial information such as salaries and deductions were compromised. Intuit temporarily made the accounts of those unavailable and to protect their information from further unauthorized access and to help protect users, are offering a year of free identity protection, credit monitoring and identity restoration services. The breach was discovered in a security audit. The TurboTax data breach notification was filed with the Office of the Vermont Attorney General.