Hackers accessed tax return information stored with TurboTax using a stolen password from a third party, an Intuit spokesman said Monday.
The attack, earlier reported in Dark Reading, didn’t breach the internal systems at Intuit, which owns TurboTax. Instead, attackers took lists of passwords stolen from other services and used them to try to log in to TurboTax accounts, the spokesman said. There, valuable personal information, such as Social Security numbers, names and addresses, is stored in tax returns.
Only one account was accessed, the TurboTax spokesman said. The account was of a customer in Vermont.
The technique is called “credential stuffing,” and it works because people reuse the same password across multiple accounts. You’re at risk if you use the same password for your TurboTax account and some other service that got hacked. It’s the same approach hackers appeared to use to take over a Nest security camera owner’s device in January and play a hoax message.
In addition to using a unique password, users can set up two-factor authentication that will require someone signing in from a new device to provide a onetime code to log in.
According to the IRS, tax-related identify theft decreased in 2017, with 32 percent fewer fraudulent tax returns than the prior year.