Tax-related data breaches are becoming an annual occurrence in the United States. Following the massive 2015 hack, thieves nabbed 100,000 e-file PINs last year. Those numbers could be used to file fraudulent returns in an attempt to collect any potential refunds.

The Department of Education and the IRS shutdown the Data Retrieval Tool for the FAFSA in early March when the two learned the system was compromised. That tool helps import tax info to the lengthy financial aid forms. Late last month, both sides announced the feature would remain offline for the rest of this application season. Of course, that means families applying for federal aid have to find those old tax return details manually.

The New York Times reports the IRS became aware of a possible security flaw that would allow attackers to use the FAFSA tool to swipe tax info last fall. The concern is the same as the e-file PIN issue last year: those details could be used to file fraudulent claims to try and collect refunds. IRS commissioner John Koskinen told a Senate Finance Committee Thursday that the agency has already contacted 35,000 taxpayers and was planning to send notice to 100,000 total to warn them of a potential issue. Right now, the IRS believes fewer than 8,000 fake returns were filed and processed, but Koskinen admitted the full scope of the breach has yet to be determined.