Reports of TurboTax Breach Greatly Exaggerated

Reports of a data breach of TurboTax have been overblown, according to Intuit which owns the tax preparation platform.

Several news outlets recently reported that an unspecified number of TurboTax accounts were compromised in a wave of credential stuffing attacks. Those kinds of attacks exploit credentials stolen from other websites and reused at the TurboTax site.

“There was no breach of Intuit systems,” said spokesman Rick Heineman.

He explained that Intuit notified one customer in Massachusetts that it locked their account after discovering what appeared to be an attempt at unauthorized access to it.

“We then shared a copy of that notification to the one individual with local authorities,” he told TechNewsWorld.

When Intuit fraud prevention teams notice an attempted or successful login to an Intuit account that has leveraged harvested credentials from third-party sources, Heineman observed, we immediately block access to that account, send a notification to the customer, require a process of identity verification by the account owner, and ask that their credentials be changed in order to re-access the account.

“Intuit undertakes robust real-time fraud prevention processes — including at login and in-product — to flag any perceived anomalous behavior,” he said.

In order to protect customer information, he added, the company has implemented a number of organizational, technical and administrative controls across its products and services. They include multi-factor authentication, encryption, and robust logging, monitoring and blocking capabilities.

Profitable Tactic

Bleeping Computer on Saturday reported that Intuit had notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks.

A similar report appeared Monday at the TechRadar website. Financial software maker Intuit has notified users of its TurboTax platform that some of their personal and financial information was accessed by attackers in what appears to be a series of account takeover attacks, it reported.

A credential stuffing attack on a site like TurboTax could be highly lucrative, noted James McQuiggan, a security awareness advocate at KnowBe4, a cybersecurity training provider in Clearwater, Fla.

“It provides access to personal information about the user, their tax information and of course, their social security numbers for them and possibly their immediate family,” he told TechNewsWorld.

“With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point for cyber criminals to target various online sites that utilize accounts for their customers,” he continued.

“If users set up accounts with the previously exposed passwords, they are making it easy for cyber criminals to steal their data,” he said.

“Conducting credential stuffing attacks are easy, low-risk, and deliver high return on investment , if successful,” added Leo Pate, an application security consultant with nVisium, an application security provider in Herndon, Va.

“From a criminal point-of-view, many platforms don’t offer strong security controls, like multi-factor authentication, or users simply do not take advantage of them, even if available, thereby resulting in a higher rate of successful compromise,” he told TechNewsWorld.

Use Unique Passwords

Despite warnings about reusing passwords, consumers continue the practice. “Old habits are hard to break,” observed McQuiggan.

“For example,” he continued, “people dislike coming up with different passwords for each account. They find it easier to use one they can easily remember or add some variation to it, like a different number or website name.”

“Consumers today use dozens of services online. Keeping a unique, strong password for each service in anyone’s head is nearly impossible due to different complexity requirements, length requirements, and sheer quantity of services consumed,” added Ben Eichorst, principal engineer at Yubico, of Palo Alto, Calif., a maker of USB and wireless authentication solutions.

He told TechNewsWorld that recent research shows that 51 percent of IT security respondents say their organizations have experienced a phishing attack, with another 12 percent of respondents stating that their organizations experienced credential theft. Yet, only 53 percent of IT security respondents say their organizations have changed how passwords or protected corporate accounts were managed.

“Interestingly enough,” he continued, “individuals reuse passwords across an average of 16 workplace accounts and IT security respondents say they reuse passwords across an average of 12 workplace accounts.”

Protecting Users and the Business

Alexa Slinger, an identity management expert with OneLogin a cloud identity and access management solution maker in San Francisco, noted that as the number of data breaches rise so, too, does the amount of stolen credentials.

“Despite the consistent media coverage of breaches, users continue to reuse passwords and put organizations at risk,” she told TechNewsWorld. “To protect their users and their business, organizations should put additional security measures in place.”

Such measures could include:

  • Limiting the number of authentication requests per session to decrease the speed of credential stuffing bot attacks.
  • Suggesting or requiring setup of multi-factor authentication which will require the bad actor to have another form of identification other than the stolen credential.
  • Use a compromised credential check to alert and prevent user’s from using breached login information.

You’ve Been Pwned

In recent times, consumers have begun receiving alerts when one of their passwords appears in a cache of stolen data. “Users who have embraced storing and generating their passwords through a secure password manager may get notification of known breaches,” Eichorst said.

“One of the primary values of a password manager is that it will let you know which of your online accounts have been breached,” added Chris Hazelton, director of security solutions at Lookout, a provider of mobile phishing solutions in San Francisco.

“It may also automate the password change process which allows you to react more quickly after a breach,” he told TechNewsWorld.

Eichorst added that individual companies with an online presence are improving their password checking methods to prohibit known leaked passwords.

That still isn’t a common practice yet, however. “It is definitely more common to be notified, but those notifications are just guidance and users are not prevented from continuing to use those compromised passwords,” noted David Stewart, CEO of Approov, of Edinburgh in the UK, which performs binary-level dynamic analysis of software.

“Consideration should be taken regarding whether users should be blocked from accessing services until they have updated a compromised password,” he told TechNewsWorld. “This is currently very rare but would seem like a sensible step.”

Consumers concerned about their passwords having been compromised can also be more proactive by running a check of their passwords at the HaveIBeenPwned website, which tracks email addresses and phone numbers that have been in data breaches over the past fifteen years.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels