From SC Media:
Intuit, the company behind tax preparation software TurboTax, said users’ accounts may have been accessed by an unauthorized party.
Threat actors used usernames and password combinations obtained from a non-Intuit source after an undisclosed number of TurboTax accounts were breached in a credential stuffing attack.
Tax returns from the prior year, current tax returns in progress, names, social security numbers, addresses, dates of birth, driver’s license numbers and financial information such as salaries and deductions were compromised, according to the notification.
Intuit temporarily made the accounts of those unavailable and to protect their information from further unauthorized access and to help protect users, are offering a year of free identity protection, credit monitoring and identity restoration services.
The breach was discovered in a security audit of its systems in the TurboTax data breach notification that was filed with the Office of the Vermont Attorney General.
Adam Laub, senior vice president of product management, STEALTHbits Technologies warns those that use the same password across different sites, you’re ripe for the picking.
“Credential stuffing ceases to be a viable attack technique when users leverage different, unique passwords across the various sites and services they log into,” Laub said. “However, our innate desire to remember as little information as possible in an age where all the information we may ever want to recall is literally at our fingertips continues to drive the use of the same username and password combination to everything we access, from our bank accounts and medical records to of course our tax returns.”
Read the full article here.