Your TurboTax Account Could Be Stolen: What to Do Now

TurboTax maker Intuit locked many users out of their accounts last week after identity thieves exploited reused passwords to hijack an undisclosed number of accounts.

Credit: Sharaf Maksumov/Shutterstock

(Image credit: Sharaf Maksumov/Shutterstock)

"It appears an unauthorized party may have accessed your account by using your username and password combination that was obtained from a non-Intuit source," the company said in a form letter sent out to holders of affected accounts and posted by Vermont's state attorney general.

"The unauthorized party may have obtained ... your name, Social Security number, address(es), date of birth, driver's license number and financial information."

Intuit said there was no breach of its own systems. Rather, these account hijacks seem to stem from "credential stuffing," in which crooks harvest usernames and passwords from old data breaches and try using them to break into unrelated accounts. Credential stuffing is only effective if a user — you and I, in other words — uses the same password to secure more than one account.

MORE: What to Do After a Data Breach

If you get one of these notification letters from Intuit, you'll have to call the company at (800) 944-8596 or email it at You'll also get a free year of identity protection from Experian IdentityWorks on Intuit's dime.

But you should also institute a credit freeze on your files with the credit-reporting agencies, because once an identity thief has your name, date of birth, Social Security number and current and former addresses, you're hosed. The thief can open pretty much any account in your name with that information — unless you freeze your credit files.

To do so, contact Equifax at 888-298-0045 or; Experian at 888-397-3742 or; and TransUnion at 888-909-8872 or

Credit freezes are now free to institute and to toggle off and on. You'll have to temporarily "unfreeze" your credit if you need to get a new credit card, open a new utility account or get a new loan.

And for sanity's sake, please get a password manager. You should not be reusing any passwords for accounts that handle personal or financial information, including online banking, online shopping, tax-preparation, social-media or webmail accounts.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.