Intuit Notifies Turbo Tax Users of Possible Credential Stuffing Data Breach

2019, Breaches, February

Who: Intuit, the company behind tax preparation software TurboTax

# of Records: Undisclosed

When it happened: February 25, 2019

What happened: Unauthorized threat actors accessed user accounts.

How it happened: Intuit discovered that an unauthorized party accessed tax return info after a breach of an undisclosed number of TurboTax tax preparation software accounts in a credential stuffing attack. Threat actors used usernames and password combinations obtained from a non-Intuit source after an undisclosed number of TurboTax accounts were breached in a credential stuffing attack. Compromised data included tax returns from the prior year, current tax returns in progress, names, social security numbers, addresses, dates of birth, driver’s license numbers and financial information such as salaries and deductions.

Outcome: Following the discovery of the security breach, Intuit decided to temporarily disable the breached TurboTax accounts affected by the credential stuffing attack. In their notice of data breach, they notified the TurboTax users impacted by this security breach incident and informed them that the investigation showed an unauthorized party might have accessed your account by using your username and password combination obtained from a non-Intuit source. A credential stuffing attack works particularly well against users who use the same password at multiple websites. To help protect users, Intuit is offering a year of free identity protection, credit monitoring, and identity restoration services.