Financial software company Intuit has notified TurboTax customers that some of their personal and financial information was accessed by attackers following what looks like a series of account takeover attacks.

 

In a breach notification letter sent to affected customers earlier this month, the company said that this was not a "systemic data breach of Intuit."

 

In account takeover attacks, cybercriminals gain access to their victims' accounts using credentials stolen from other online services following past data breaches.

 

This type of attack works incredibly well against targets who use the same login credentials for multiple sites or services.

TurboTax accounts hacked using reused credentials

Intuit discovered during a security review that an undisclosed number of TurboTax accounts was breached and customer info was exposed. 

 

The company's investigation revealed that the threat actors used credentials (usernames and passwords) obtained from "a non-Intuit source" to gain access to the accounts.

 

"By accessing your account, the unauthorized party may have obtained information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return," Intuit explained.

 

"We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information," the company added.

 

After discovering the attacks, Intuit temporarily disabled the breached TurboTax accounts. Users who had their accounts deactivated must contact Intuit's Customer Care department at 1-800-944-8596 and say "Security" when prompted.

 

Afterward, Intuit employees will walk them through an identity verification procedure designed to help reactivate the accounts.

Previous alerts of threat actors taking over TurboTax accounts

This is not the first time attackers have successfully hacked into TurboTax users' accounts and stole financial and personal information.

 

TurboTax customers were previously targeted in at least three other series of account takeover attacks in 2014/2015 and again in 2019.

 

Just as after the previous three incidents, Intuit provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to impacted customers.

 

Intuit and TurboTax spokespersons were not available for comment when contacted by BleepingComputer earlier for further info on the breach dates and the number of impacted accounts.