Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack.

A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

In the notice of data breach sent to the TurboTax users impacted by this security breach incident, Intuit says that:

Based on our investigation, it appears an unauthorized party may have accessed your account by using your usemame and password combination that was obtained from a non-Intuit source. The unauthorized access occurred [on/from] [date/date range]. By accessing your account, the unauthorized party may have obtained information contained in a prior year's tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver's license number and financial information (e.g._ salary and deductions), and information of other individuals contained in the tax return.

Intuit also states that the breach was discovered during a security review of its systems in the TurboTax data breach notification which was filed with the Office of the Vermont Attorney General.

Following the discovery of the security breach, Intuit decided to temporarily disable the TurboTax accounts which were breached in the credential stuffing attack.

TurboTax users who had their accounts temporarily deactivated have to contact Intuit using the company's Customer Care department at 1-800-944-8596 and say "Security" when prompted, after which Intuit employees will walk them through an identity verification procedure designed to help them reactivate their accounts.

To re-enable their accounts, TurboTax customers can also e-mail Intuit at TTaxInvestigations@intuit.com for further details on what steps they need to go through to reinstate their accounts.

Intuit also said that:

We deeply regret that this incident may affect you. Intuit has taken various measures to help ensure that the accounts of affected customers are protected. We are notifying you so you can take steps to help protect your information.

The company also provides one year of free identity protection, credit monitoring, and Experian IdentityWorks identity restoration services to customers impacted by the data breach to further protect their TurboTax accounts.

Intuit account protection measures

Intuit's TurboTax was previously breached and customer tax return information was leaked after two other credential stuffing attacks on 02/01/2014 and 02/27/2015 according to a data breach notice filed with the Office of the California Attorney General on 04/06/2015.

BleepingComputer has reached out to Intuit for further information on the breach dates and the number of accounts impacted in the event but had not heard back at the time of this publication. This article will be updated when a response is received.

Update 2/24/19: As was said in our article, this was a credential stuffing attack affecting only specific accounts and not Intuit's systems. In Intuit's statement below, they reiterate this information.