The attack, earlier reported in Dark Reading, didn’t breach the internal systems at Intuit, which owns TurboTax. Instead, attackers took lists of passwords stolen from other services and used them to try to log in to TurboTax accounts, the spokesman said. There, valuable personal information, such as Social Security numbers, names and addresses, is stored in tax returns.
Only one account was accessed, the TurboTax spokesman said. The account was of a customer in Vermont.
The technique is called “credential stuffing,” and it works because people reuse the same password across multiple accounts. You’re at risk if you use the same password for your TurboTax account and some other service that got hacked. It’s the same approach hackers appeared to use to take over a Nest security cameraowner’s device in January and play a hoax message.
Read More.. Source CNet