Cyber Incident Victim: Intuit TurboTax

In June 2021, Intuit notified an undisclosed number of TurboTax customers that their accounts had been compromised through account takeover (ATO) attacks. The company discovered unauthorized access during a security review, determining that threat actors obtained credentials—usernames and passwords—from non-Intuit sources, likely through credential stuffing or reuse of credentials exposed in prior third-party breaches. Intuit emphasized this was not a systemic breach of its systems but rather targeted attacks exploiting reused login details. Compromised accounts exposed personal and financial information from prior or in-progress tax returns, including names, Social Security numbers, addresses, dates of birth, driver’s license numbers, salary details, deductions, and data of other individuals listed on returns. Intuit’s Corporate Communications Vice President stated that fewer than 0.0003% of the platform’s 100+ million customers received ATO notifications, with some later confirmed as legitimate user activity. The company did not disclose the exact number of confirmed breaches or the timeframe of unauthorized access.

Upon detecting the compromise, Intuit temporarily disabled affected TurboTax accounts and instructed users to contact Customer Care via a dedicated phone line, where representatives guided them through identity verification to reactivate access. Impacted customers were offered one year of complimentary identity protection, credit monitoring, and Experian IdentityWorks restoration services. This mirrored Intuit’s response to prior ATO campaigns targeting TurboTax users in 2014, 2015, and 2019, which similarly involved stolen credentials from external sources. The incident underscored recurring risks of credential reuse across multiple platforms, though Intuit reiterated no evidence suggested its own systems were breached. Notifications were distributed earlier in June 2021, advising customers to monitor financial accounts and credit reports for suspicious activity.