The tax return information stored with TurboTax has been accessed by hackers by using a stolen password from a third party.
The attack did not breach the internal systems at Intuit, that owns TurboTax. The attackers used the passwords stolen from other services and tried them against TurboTax accounts to login. The personal details of the users such as Social Security numbers, names and addresses etc are stored in tax returns.
Only one account of a customer in Vermont was accessed according to a spokesperson in TurboTax.
The method of attack called as “credential stuffing,” works mainly as the users reuse the same password across multiple accounts. It is a great risk to use the same password for your TurboTax account and some other service if it gets hacked.
The users must use a unique password and also set up two-factor authentication method as an additional -security, where another device is also necessary to provide a one-time code while signing in.