Financial software maker Intuit has notified users of its TurboTax platform that some of their personal and financial information was accessed by attackers in what appears to be a series of account takeover attacks.
“By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return,” explained Intuit in the breach notification letter sent to customers.
The company added that it has taken “various measures” to help protect its tax software customer accounts, adding that investigations suggest that the attack was not a “systemic data breach of Intuit.”
Poor password hygiene
Intuit suggests that the accounts were compromised as part of an account takeover attack, where cybercriminals use users credentials gleaned from data breaches on other online services. These attacks are the result of users reusing the same login credentials on multiple online services.
The accounts breach came to light during a regular security review, leading to further investigations that revealed the attack had exposed various details about the customers.
As soon as the attack came to light, Intuit temporarily disabled the breached TurboTax accounts. Intuit has also provided a complimentary one year subscription to identity protection services to the affected customers.
Bleeping Computer further reports that TurboTax customers have been targeted in at least three other account takeover attacks in 2014/2015 and most recently in 2019.