Intuit catches 'credential stuffing' attack on TurboTax account

Intuit recently notified the state of Vermont about a cybercriminal who used a technique known as “credential stuffing” to gain access to a state resident’s TurboTax account.

The Mountain View, California-based tax and accounting software developer forwarded a copy of the notice it sent to the TurboTax user about the unauthorized access it detected. The hacker apparently was able to get legitimate log-in credentials for TurboTax from an outside source and use it to access a customer’s account. However, Intuit stressed there was no data breach at the company.

“To be wholly clear, there was no data breach of Intuit’s systems,” said Intuit spokesperson Rick Heineman. “There was not any third party accessing Intuit systems. The notice referenced in a recent blog post is a notification Intuit sent to Vermont informing of Intuit discovering what it believes is unauthorized access of a customer’s account as a result of a fraudulent account log-in, not a data breach of Intuit. This notice is standard communication between Intuit and states and does not constitute notice of a systemic data breach. Intuit has been sending these types of notices to states for many years, so this is absolutely not a new practice.”

Intuit Campus

A security expert sees “credential stuffing” becoming more prevalent among cybercriminals. “The credential stuffing attack against TurboTax showcases how hackers are quickly using stolen credentials — increasingly from the dark web — to carry out a variety of crimes," said Chris Rouland, CEO of the cybersecurity company Phosphorus. “Personal information, including usernames and passwords, are a hot commodity on the dark web, allowing hackers to gather valuable intel and merge data from multiple sources to build dossiers on potential victims. Armed with that data, hackers can then carry out credential stuffing operations not just on companies like TurboTax, but on individuals, whose personal computers and even IoT [internet of things] devices can easily be compromised through shared credentials and credential stuffing alike. Also, the recent North Korea nuclear strike hoax was likely an example of IoT credential stuffing. We expect to see an increase in these types of crimes as mass data dump sales, especially username/password combos, become the currency of the dark web.”

Intuit was able to detect the unauthorized activity and alert the user whose account was accessed by the hacker. “After discovering what we believe is unauthorized access to an individual’s account, we conducted an investigation and took steps to secure our customers’ accounts and information,” said Heineman. “We believe a third party used legitimate log-in credentials that were obtained from non-Intuit sources and used them to access an Intuit account.”

He noted that the customer’s account login information could have been acquired from “any number of sources other than Intuit.”

Heineman said Intuit makes security a top priority and is continuing to invest in security and fraud protection. That includes:

  • Providing suspicious activity reports for additional investigation based on risk scoring;
  • Developing third-party partnerships to provide knowledge-based authentication;
  • Validating IP addresses to look for discrepancies in IP addresses and block high-risk transactions from suspect geographies;
  • Implementing multi-factor authentication that requires customers to validate their identity in multiple ways; and.
  • Linking federal and state returns and requiring them to be filed simultaneously.

He said Intuit has also created a fraud resolution process to help affected customers with “restoring their identity.” The company posts security best practices and other information on its Online Security Center, and has been sending out notices for years like the one it sent to Vermont informing authorities about Intuit's security practices.

For reprint and licensing requests for this article, click here.
Cyber security Identity theft Tax prep software Intuit
MORE FROM ACCOUNTING TODAY