TurboTax maker Intuit locked many users out of their accounts last week after identity thieves exploited reused passwords to hijack an undisclosed number of accounts.
"It appears an unauthorized party may have accessed your account by using your username and password combination that was obtained from a non-Intuit source," the company said in a form letter sent out to holders of affected accounts and posted by Vermont's state attorney general.
"The unauthorized party may have obtained ... your name, Social Security number, address(es), date of birth, driver's license number and financial information."
Intuit said there was no breach of its own systems. Rather, these account hijacks seem to stem from "credential stuffing," in which crooks harvest usernames and passwords from old data breaches and try using them to break into unrelated accounts. Credential stuffing is only effective if a user — you and I, in other words — uses the same password to secure more than one account.
If you get one of these notification letters from Intuit, you'll have to call the company at (800) 944-8596 or email it at firstname.lastname@example.org. You'll also get a free year of identity protection from Experian IdentityWorks on Intuit's dime.
But you should also institute a credit freeze on your files with the credit-reporting agencies, because once an identity thief has your name, date of birth, Social Security number and current and former addresses, you're hosed. The thief can open pretty much any account in your name with that information — unless you freeze your credit files.
To do so, contact Equifax at 888-298-0045 or https://www.equifax.com/personal/credit-report-services/; Experian at 888-397-3742 or https://www.experian.com/freeze/center.html; and TransUnion at 888-909-8872 or https://www.transunion.com/credit-freeze.
Credit freezes are now free to institute and to toggle off and on. You'll have to temporarily "unfreeze" your credit if you need to get a new credit card, open a new utility account or get a new loan.
And for sanity's sake, please get a password manager. You should not be reusing any passwords for accounts that handle personal or financial information, including online banking, online shopping, tax-preparation, social-media or webmail accounts.
Best Identity Protection Services
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
LifeLock Ultimate Plus
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.