Ride the Lightning

TurboTax Users Risk Being Compromised by Password Reuse

February 27, 2019

We never learn. No matter how valuable the lesson is – don't reuse passwords – people continue to do it.

CNET reported that hackers accessed tax return information stored with TurboTax using a stolen password from a third party.

The attack didn't breach the internal systems at Intuit, which owns TurboTax. Instead, attackers took lists of passwords stolen from other services and used them to try to log in to TurboTax accounts, a TurboTax spokesman said. Valuable personal information, such as Social Security numbers, names and addresses, is stored in tax returns.

Only one account was accessed according to the spokesman. The account was of a customer in Vermont. If that gives you comfort, it shouldn't. Now that I have seen this story in at least six different sources, an army of bad guys is likely trying to do the same thing.

The technique is called "credential stuffing," and it works because people reuse the same password across multiple accounts. You're at risk if you use the same password for your TurboTax account and some other service that got hacked.

In addition to using a unique password, users can set up two-factor authentication that will require someone signing in from a new device to provide a onetime code to log in.

Unique passwords everywhere please – and use a password manager!

Here endeth the lesson.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson