TurboTax accounts hacked — what to do now

Turbox hack
(Image credit: Shutterstock)

Updated with comment from Intuit.

Financial-software maker Intuit has warned some users of its TurboTax tax-return-preparation software that their accounts may have been compromised. 

Intuit has locked those customers out of their accounts, Bleeping Computer reported. Affected TurboTax customers must call (800) 944-8596 and state the word "Security" when prompted, after which Intuit tech-support representatives will walk them through the process of regaining access.

The account compromises are the result not of any security failure on Intuit's end, Bleeping Computer reports, but of customers reusing passwords for their TurboTax accounts on unrelated accounts.

Tom's Guide has reached out to Intuit to confirm that notifications were sent to affected TurboTax customers, and we will update this story when we receive a reply. There was no immediate indication of how many TurboTax customers may have been affected.

Bleeping Computer said the notification sent to TurboTax customers warned that the personal information compromised may include "your name, Social Security number, address(es), date of birth, driver's license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return."

Tax returns are a gold mine for identity thieves because they contain most of the information required to open accounts in other people's names, such as Social Security numbers and street addresses.

Standard U.S. tax forms do not ask for the tax filer's date of birth or driver's license number, but it's possible that that information is contained in TurboTax accounts.

What to do if your TurboTax account was hacked

If you do get a notification letter from Intuit regarding a compromised TurboTax account, you should call one of the Big Three credit-reporting agencies — Equifax, Experian and TransUnion — to institute a fraud alert. 

Once that alert is established, you will be notified every time a lender asks to "pull" your credit file to establish your creditworthiness. The credit bureau you notify will alert the other two bureaus. 

Fraud alerts are free and last for one year. You might also want to look into subscribing to one of the best identity-theft-protection services, which can help you recover from cases of identity theft that occur while you are a paying customer.

Contact numbers and websites to institute fraud alerts are contained in our article on what to do if your Social Security numbers is stolen. (Don't assume that your SSN was stolen until you get evidence that it might have been.)

If you get evidence that your personal information is indeed being misused by an unauthorized party, it might be time for a credit freeze, also detailed in our Social Security number story. 

Password reuse may be the single greatest reason why online accounts are taken over. Billions of username/password combinations stolen in data breaches and phishing attacks over the past two decades are easily available online. 

Identity thieves and other criminals have developed computer programs that will test websites with stolen credentials to break into accounts.

To make sure you don't have to reuse any passwords, try out one of the services on our list of best password managers. Some of them do everything you need for free.

Intuit responds

"When Intuit fraud prevention teams notice an attempted or successful login to an Intuit account that has leveraged harvested credentials from third-party sources," an Intuit spokesperson told Tom's Guide, "we immediately block access to that account, send a notification to the customer, require a process of identity verification by the account owner and credentials to be changed in order to re-access the account."

The letter seen by Bleeping Computer, the spokesperson said, was "a copy of a notification an individual customer received notifying them that Intuit fraud prevention locked their account due to what we believe is unauthorized attempted access."

The spokesperson said notifications of account takeovers are sent out routinely when the situation warrants. In this particular case, the spokesperson said, the letter was sent to a single TurboTax user in Massachusetts earlier this month.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.