According to Intuit, which owns TurboTax, reports of a data breach of the tax preparation software have been exaggerated.
Several news sources recently reported that a wave of credential stuffing assaults had compromised an undisclosed number of TurboTax accounts. Such attacks make use of credentials obtained from other websites and re-used on the TurboTax website.
“Intuit systems were not breached,” stated spokesperson Rick Heineman.
He said that Intuit informed one Massachusetts client that their account had been restricted after detecting what seemed to be an attempt at illegal access.
He told TechNewsWorld, “We then shared a copy of that notice to the one person with local authorities.”
We immediately block access to that account, send a notification to the customer, require a process of identity verification by the account owner, and ask that their credentials be changed in order to re-access the account when Intuit fraud prevention teams notice an attempted or successful login to an Intuit account that has leveraged harvested credentials from third-party sources, according to Heineman.
“Intuit uses strong real-time fraud protection systems to report any perceived abnormal activity, both during login and in-product,” he added.
He went on to say that the firm has established a variety of organizational, technological, and administrative controls across its products and services to safeguard consumer information. Multi-factor authentication, encryption, as well as comprehensive logging, monitoring, and blocking features are all included.
On Saturday, Bleeping Computer reported that Intuit has informed TurboTax users that intruders had obtained some of their personal and financial information after what seems to be a series of account takeover attempts.
A similar article was published on the TechRadar website on Monday. Intuit, a financial software company, has informed customers of its TurboTax platform that attackers obtained some of their personal and financial information in what seems to be a series of account takeover attempts, according to the company.
According to James McQuiggan, a security awareness advocate at KnowBe4, a cybersecurity training company in Clearwater, Fla., a credential stuffing assault on a site like TurboTax could be very profitable.
“It gives them and potentially their immediate family access to personal information about the user, tax information, and, of course, their social security numbers,” he told TechNewsWorld.
“With over 8.4 million passwords in the public and over 3.5 billion of those passwords linked to real email addresses,” he added, “it offers a starting point for cyber thieves to attack different web companies that user accounts for their consumers.”
“Users who create accounts with previously exposed passwords make it simple for cyber thieves to acquire their data,” he said.
“Credential stuffing attacks are simple, low-risk, and offer a significant return on investment if successful,” said Leo Pate, an application security consultant with nVisium, a Herndon, Va.-based application security firm.
“From a criminal standpoint, many platforms don’t provide robust security measures, such as multi-factor authentication, or users simply don’t utilize them, even when they are available, leading in a greater rate of successful penetration,” he told TechNewsWorld.
Passwords Should Be Unique
Despite the fact that customers are warned against repeating passwords, they continue to do so. “It’s difficult to change old habits,” McQuiggan remarked.
“People hate coming up with new passwords for each account, for example,” he said. They prefer to choose one that is easy to remember or one that has some variety, such as a different phone number or website name.”
“Consumers now utilize a plethora of internet services. Due to varying complexity requirements, length requirements, and the sheer quantity of services consumed, remembering a unique, strong password for each service is nearly impossible “Yubico, a maker of USB and wireless authentication solutions based in Palo Alto, Calif., added Ben Eichorst, a principal engineer.
According to a recent study, 51% of IT security respondents claim their companies have suffered a phishing assault, with another 13% saying their organizations have experienced credential theft. Despite this, just 53% of IT security respondents claim their companies have altered the way passwords and protected corporate accounts are handled.
“Interestingly, people repeat passwords over an average of 16 workplace accounts, while IT security respondents indicate they reuse passwords across an average of 12 workplace accounts,” he added.
Keeping Users and the Company Safe
As the number of data breaches rises, so does the number of stolen credentials, according to Alexa Slinger, an identity management specialist at OneLogin, cloud identity and access management solution provider in San Francisco.
“Despite the constant coverage of data breaches in the media, people continue to reuse passwords, putting businesses at danger,” she told TechNewsWorld. “Organizations should implement extra security measures to safeguard their users and their company.”
Measures like these may be taken:
To slow down credential stuffing bot assaults, limit the number of authentication requests per session.
Suggesting or mandating the use of multi-factor authentication, which requires the bad actor to have a second form of identity in addition to the stolen credential.
Use a compromised credential check to warn users and prevent them from using stolen credentials.
You’ve been pwned, and you’re not even aware of it.
Consumers have recently started getting notifications when one of their passwords appears in a cache of stolen data. “Users who have adopted using a secure password manager to store and generate their passwords may get notice of known breaches,” Eichorst added.
“One of the main benefits of a password manager is that it will notify you if any of your online accounts have been compromised,” said Chris Hazelton, director of security solutions at Lookout, a San Francisco-based supplier of mobile phishing solutions.
“It may also automate the password changing process,” he told TechNewsWorld. “This enables you to respond more swiftly following a breach.”
Individual businesses with an online presence, according to Eichorst, are upgrading their password verification techniques to prevent known stolen credentials.
However, this isn’t currently a widespread practice. “Being alerted is certainly more frequent,” said David Stewart, CEO of Approov, an Edinburgh-based company that conducts a binary-level dynamic analysis of software. “However, such warnings are simply advice, and users are not prohibited from continuing to use those stolen credentials.”
“Thought should be given to whether users should be prevented from accessing services until a hacked password has been changed,” he told TechNewsWorld. “This is very uncommon right now, but it seems like a reasonable move.”
Consumers who are worried about their credentials being stolen may be more proactive by checking their passwords on the HaveIBeenPwned website, which monitors email addresses and phone numbers that have been compromised in data breaches over the last fifteen years.