Intuit Informs TurboTax Customers of Account Takeovers

Financial software company Intuit recently informed customers of its TurboTax product of a series of potential account takeovers, allowing access to some personally-identifying information. 

Intuit insisted in a breach notification letter to customers that the takeover attacks did not amount to a “systemic data breach of Intuit.” Further, it noted that the threat actors obtained credentials through “a non-Intuit source.”

We consulted with cybersecurity experts about the TurboTax Attack Takeovers. Here’s what they had to say. 

Intuit Informs TurboTax Customers of Account Takeovers

Kim DeCarlis

Kim DeCarlis is the CMO at PerimeterX.

“Account takeover (ATO) attacks are a major threat to any business. It is much simpler and lucrative to walk in through the front door of a digital business with valid stolen credentials than to look for holes in an organization’s cybersecurity defenses. PerimeterX research found that between 75-85% of all login attempts in the second half of 2020 were account takeover attempts. Unfortunately, this was the case for TurboTax. Businesses need to be aware of signs that they’ve been attacked – including surges in help desk calls, spikes in password resets and inhuman user behaviors such as thousands of login attempts on an account in a short time period – and take appropriate action. Consumers need to make sure they are using different passwords on every site and locking down their credit reports as well.”

Saryu Nayyar

Saryu Nayyar (she/her) is CEO of Gurucul. 

“This is the holy grail for cyber-criminals and a nightmare for TurboTax customers. Armed with social security numbers and associated personally identifiable information (names, addresses, birth dates), criminals can quickly open credit card accounts (and a host of other accounts) and shop till they drop – all on the victim’s identity. And the clean-up to clear one’s name is painful and continuous for all the victims. This particular breach was avoidable in that credentials were stolen from other online services following past data breaches. It cannot be overstated that individuals must change all passwords following a breach notification. Credentials should never be reused. You absolutely need unique credentials for each and every service, especially those where you are transacting financial data.”

Baber Amin

Baber Amin is COO of Veridium.

“Password reuse and its downstream implications are the key with what happened at TurboTax. Unfortunately, password reuse is still a norm, despite warnings, because as mere normal humans we have a limited capacity to remember passwords.  Given the ever-increasing need to be digital in every aspect of our lives, many reuse passwords.

“The flip side of this coin is credential stuffing. Once a password is compromised and available, it can be used to impersonate actual real users.

“The best way to eliminate this vector is to eliminate passwords. No Password = no credential to stuff. The second-best way to eliminate credential stuffing is to add contextual multifactor authentication that is either dynamic based on risk or based on static rules.  This is the cheapest way to thwart a credential stuffing attack. Either way points to either eliminating the weakest link or shoring it up.”

James McQuiggan

James McQuiggan is Security Awareness Advocate at KnowBe4.

“This credential stuffing attack is highly lucrative. It provides access to personal information about the user, their tax information, and of course, their social security numbers for them and possibly their immediate family.

With over 8.4 million passwords in the wild and over 3.5 billion of those passwords tied to actual email addresses, it provides a starting point for cyber criminals to target various online sites that utilize accounts for their customers. If users set up accounts with the previously exposed passwords, they are making it easy for cyber criminals to steal their data.

Users should ensure they are using strong passwords or passphrases for all of their accounts and, where available, using Multi-Factor Authentication (MFA) to protect and secure their accounts.  This way, in the event of a password credentialing attack, it will reduce their risk of exposure to losing their sensitive, personal data.”

David Stewart

David Stewart is CEO of Approov.

“Credential stuffing attacks, utilizing usernames/passwords extracted from unconnected data breaches, are one of the most common account takeover mechanisms. The simplest way to prevent such exploits is to ensure that usernames/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified additional factors (eg 2FA, biometrics, app authentication) to gain access to your servers will make your business dramatically less likely to suffer account takeover attacks.”

Purandar Das

Purandar Das is Co-founder and Chief Strategist at Sotero.

“This is an example of the cascading and long-lasting impact of data breaches. Data stolen from one or more organizations is compiled and then sold to criminals. While it is easy, in this case, to claim that there was no systemic breach it still puts a spotlight on the organization that was used to access account information. At the very minimum, dual-factor authentication would have prevented this issue. Longer-term organizations have to account for the fact the stolen data or user credentials is widely available. Accounting for that with dual-factor authentication or device-based access in the short term and ML-based authentication is a must. Passing the blame on to the consumer is not acceptable. It is just not feasible nor sustainable to push the onus on consumers to create and manage tens if not hundreds of passwords.”

Thanks to these experts for their time and expertise on the TurboTax Account Takeovers. For more on protecting your employees’ and privileged users’ credentials, download the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.