Intuit notifies customers of compromised TurboTax accounts

Financial software company Intuit has notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks.

In a breach notification letter sent to affected customers earlier this month, the company said that this was not a "systemic data breach of Intuit."

In account takeover attacks, cybercriminals gain access to their victims' accounts using credentials stolen from other online services following past data breaches.

This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services.

"We have more than 100 million customers and see billions of transactions per year with ATO notifications going to less than .0003% of customers and some of those confirmed by the customer after the fact as their activity (not an ATO)," Rick Heineman, Intuit Corporate Communications Vice President, told BleepingComputer.

TurboTax accounts hacked using reused credentials

Intuit discovered during a security review that an undisclosed number of TurboTax accounts was breached and customer info was exposed. 

The company's investigation revealed that the threat actors used credentials (usernames and passwords) obtained from "a non-Intuit source" to gain access to the accounts.

"By accessing your account, the unauthorized party may have obtained information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return," Intuit explained.

"We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information," the company added.

After discovering the attacks, Intuit temporarily disabled the breached TurboTax accounts. Users who had their accounts deactivated must contact Intuit's Customer Care department at 1-800-944-8596 and say "Security" when prompted.

Afterward, Intuit employees will walk them through an identity verification procedure designed to help reactivate the accounts.

Previous alerts of TurboTax account takeovers

This is not the first time attackers have successfully hacked into TurboTax users' accounts and stole financial and personal information.

TurboTax customers were previously targeted in at least three other series of account takeover attacks in 2014/2015 and again in 2019.

Just as after the previous three incidents, Intuit provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to impacted customers.