TurboTax Credential Stuffing Incident Provides Password Recycling Lesson

The TurboTax non-breach data incident should at least provide a lesson on password reuse and the danger they present after hackers accessed tax-return information using stolen credentials from another source.

According to a blog post from Intuit, the parent of TurboTax, “There has been NO data breach of Intuit’s systems. There was NO third party that accessed Intuit systems or accessed customer information stored in those systems.”

Intuit noted a recent blog post (on the website Dark Reading) referencing an Intuit data breach was inaccurate. “The document referenced in the blog post was a notification to a state (Vermont) that a customer’s account experienced unauthorized access by a third party using legitimate log-in credentials that Intuit believes were obtained from sources outside the company. The individual’s account login information may have been acquired from any number of sources outside of Intuit.”

In instances of unauthorized account access Intuit said it conducts an investigation and takes steps to secure customers’ account and information.  A part of this process is notification to a customer of unauthorized access to their account and to select states. The notification letter revealed by accessing an account, hackers could access tax returns from the prior year, current tax returns in progress, names, Social Security numbers, addresses, birthdates, driver’s license numbers and financial information such as salaries and deductions.

“With a success rate of 1 or 2 per 1000 accounts [according to the Open Web Application Security Project] credential stuffing is potentially very rewarding,” said Colin Bastable, CEO of Austin, Texas-based cybersecurity test and training company, Lucy Security.

At the heart of account takeovers lies phishing: over 90% of credentials are stolen as a result of phishing attacks, Bastable pointed out. “Hackers are able to cross-reference multiple passwords against valid user identities, bought from the dark web, in the same way that big data is deployed by major corporations to know their customers in incredible detail.” He added with so many millions of compromised credentials in the wild, organized crime rings and governments have the means at their disposal, as well as the financial incentives, to deploy credential stuffing to great effect.

“To combat it, some organizations deploy password-less login, which is effectively a password reset at each login. By avoiding the need for stored passwords, the threat of illicit account access is reduced,” Bastable said. In addition, companies like Apple are imposing mandatory multi factor authentication on their user base in order to combat fraud. “The best solution is to combine technology and best practice with user training: 20% of people are especially likely to become phishing victims, so organizations must identify and continuously train them to reduce their risk profile.”

Stephen Moore, chief security strategist for San Mateo, Calif.-based security management firm Exabeam commented: “The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organizational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts.”

Moore suggested to remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach closely aligned with monitoring user behavior. This should include the ability to detect, using behavioral characteristics, when events have occurred, especially when it comes to customer-facing incidents.

Not only individuals but businesses should remain attentive. “Small business owners should always remain hypervigilant when providing personal or business identifying information like tax IDs, Social Security numbers, or payroll information,” Jessica Ortega, website security analyst at Scottsdale, Ariz. cybersecurity firm SiteLock, said.

Ortega added, checking the URL of any website for unusual characters is a great place to start. When in doubt, business owners should enter the exact website address they intended to visit or call the company they’re working with directly to ensure they’re talking to the right person and not a scammer.

“Business owners should practice good cyberhygiene year-round and provide cyberawareness training to their employees. Knowing how to spot phishing and social engineering scams as regular practice prior to the stressful tax season helps to prepare them for the uptick that occurs around tax time,” Ortega said. She added, using strong and varied passwords for their business and tax accounts helps ensure attackers cannot breach all of these accounts, even if they gain access to one email address or password.