TurboTax customer tax return information has been exposed via a credential stuffing attack. In this attack, the networks of TurboTax were not compromised; instead, threat actors used username and password combinations from previous non-TurboTax security breaches to gain access to customer accounts. Any information disclosed on their tax return, such as Social Security number, date of birth, financial information, and any spouse and dependent information was available for the threat actor and can easily be used to commit identity theft. This incident is another reminder of the dangers of password reuse across multiple accounts. TurboTax temporarily disabled affected accounts; customers can call 1-800-944-8596 to verify their identity and reactivate their account. TurboTax is also offering a year of free identity protection, credit monitoring, and identity restoration services to impacted customers.

Data BreachNJCCIC