Just in time for tax season, the Cedar Rapids, Iowa-based preparation firm TaxAct reported a breach that led the company to freeze more than 9,000 customer accounts.
TaxAct, an arm of Blucora Inc., sent a letter to 450 customers informing them that an unauthorized third party accessed their accounts between Nov. 10 and Dec. 4, 2015.
"We have no evidence that any TaxAct system has been compromised and believe the third party used username and password combinations obtained from sources outside of our own system," the letter read. "In order to stop this unauthorized access, we have temporarily disabled your account."
In addition, the letter revealed TaxAct reviewed its website logs for account activity following the attempted unauthorized access, and found tax returns stored in customer accounts may have been opened or printed.
"These documents may contain your name and Social Security number, and may also contain your address, driver's license number and bank account information," the letter continued.
However, cybersecurity experts warned sometimes data breaches cause more damage than companies assume.
TaxAct also froze the accounts of an additional 9,000 customers, notifying them via email they will require additional verification this year.
"It seems [TaxAct] determined that these [450] accounts were accessed based on strange activity, as opposed to the other 9,000 records," Paul Kubler, cybersecurity and digital forensics examiner at the New York City-based LIFARS, said. "Somehow, they acquired the passwords and stole data. I recommend other sites mandate password changes."
Dodi Glenn, vice president, cybersecurity at the Sioux City, Iowa-based PC Pitstop, cautioned, "TaxAct claims that they were not breached, but that the usernames and passwords of their customers were found from other sources. With username and password reuse, an individual may use the same email address or username and password on site A that they would use on sites B and C. When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere."
Glenn noted this appeared to be what TaxAct meant when it referred to sources outside its system.
"Kudos to TaxAct for reacting quickly, notifying its users and providing credit monitoring and restoration services at no charge," Glenn added.
Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based KnowBe4, warned, "We would recommend to file with the IRS as soon as possible to prevent Identity Theft and a false tax return. Next, stay very alert for spear phishing attacks having to do with taxes. These identities sometimes lead to highly targeted attacks.
"They say their system was not breached, but that does not mean it is not their fault," Kubler added. "Possibly, they have weak passwords, clear text submission and caching of data that makes the job easier for an attacker. Or, their password rotation policies could be non-existent. Always change the password."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Roy Urrico
Roy W. Urrico specializes in articles about financial technology and services for Credit Union Times, as well as ghostwriting, copywriting, and case studies. Also: writer/editor of a semi-annual newsletter for Association for Financial Technology since 1997 and history projects funded by the U.S Interior Department, National Park Service and Warren County (N.Y.).
