An undisclosed number of TurboTax customer accounts have been compromised in a credential stuffing attack.
“Based on our investigation,” a notice told affected users, “…an unauthorized party may have accessed your account by using your usemame and password combination that was obtained from a non-Intuit source. The unauthorized access occurred [on/from] [date/date range]. By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g._ salary and deductions), and information of other individuals contained in the tax return.”
Intuit is offering one year of free identity theft protection to affected customers, but vehemently denied that a breach took place.
“There has been NO data breach of Intuit’s systems. There was NO third party that accessed Intuit systems or accessed customer information stored in those systems… a customer’s account experienced unauthorized access by a third party using legitimate log-in credentials that Intuit believes were obtained from sources outside the company. The individual’s account login information may have been acquired from any number of sources outside of Intuit.”
Read more details here.