It’s tax time again. Millions of Americans are filing for returns and making plans for how to use the money. Attackers have other ideas for that tax return.
TurboTax promotes itself as the number one, best-selling tax preparation software. No doubt they hold credentials belonging to millions of Americans who have used them for their taxes. Now, officials report an attacker obtained tax return data through a credential stuffing hack on their platform.
Credential stuffing is when attackers gather millions of compromised usernames and passwords available on the internet. They than automate the use of those credentials to break into user accounts. Once they have access, they take your personal information from a previous tax year and file a fraudulent return to grab your cash. Sorry about that trip you were planning.
Even if you haven’t used TurboTax recently, or for this year’s return, you may be at risk. Particularly if you re-use a password for multiple online accounts or services. That password may already be in the hands of an attacker.
What to do about it:
Check to see if an attacker has accessed your information in the past. Visit haveibeenpwned.com.
Be sure to use different, complex passwords for all accounts.
Monitor your financial accounts for nefarious activity.
File your tax return as early as possible to avoid someone else doing so first.
If you think you are a victim of identity theft and your tax return is in jeopardy, contact the IRS.
Remember, you can keep your online accounts a great deal safer just by using better passwords. So if you are looking for a way to improve your cybersecurity, password security is where you should start.
- What is Credential Stuffing?
- TurboTax article published by Dark Reading
- IRS Taxpayer Guide to Identity Theft