Just in time for tax season, the Cedar Rapids, Iowa-based preparation firm TaxAct reported a breach that led the company to freeze more than 9,000 customer accounts.

TaxAct, an arm of Blucora Inc., sent a letter to 450 customers informing them that an unauthorized third party accessed their accounts between Nov. 10 and Dec. 4, 2015.

“We have no evidence that any TaxAct system has been compromised and believe the third party used username and password combinations obtained from sources outside of our own system,” the letter read. “In order to stop this unauthorized access, we have temporarily disabled your account.”

In addition, the letter revealed TaxAct reviewed its website logs for account activity following the attempted unauthorized access, and found tax returns stored in customer accounts may have been opened or printed.

“These documents may contain your name and Social Security number, and may also contain your address, driver's license number and bank account information,” the letter continued.

However, cybersecurity experts warned sometimes data breaches cause more damage than companies assume.

TaxAct also froze the accounts of an additional 9,000 customers, notifying them via email they will require additional verification this year.

“It seems [TaxAct] determined that these [450] accounts were accessed based on strange activity, as opposed to the other 9,000 records,” Paul Kubler, cybersecurity and digital forensics examiner at the New York City-based LIFARS, said. “Somehow, they acquired the passwords and stole data.”