The TurboTax company recently announced that their network was breached following a series of account takeover attacks, and that as a consequence, an undisclosed number of Turbo Tax customers had their personal data compromised.
The company stressed that this breach was not a consequence of failed network security on their part, but rather, bad password practices in use by some of their customers.
The way an ATO (Account Take Over) attack works is this: A customer is in the habit of using the same password on multiple sites. A hack occurs on another site that the customer uses, and his password there is exposed.
Knowing that many people reuse passwords, hackers attempt to use the passwords they glean from one breach on accounts for other sites, hoping to get lucky. In many cases, they do. That's what happened here.
Although the number of impacted accounts seems disturbingly large, the reality is that Turbo Tax serves over 100 million customers a year. So the impacted accounts represent a tiny fraction of the total. Granted, that's small consolation for those who have had their data compromised, but understanding how it happened and the context of the scope and scale is still important.
Now for the bad news: If your account was compromised, the hackers likely made off with information like your tax returns for prior years, your current tax return, your social security number, date of birth, driver's license number, and a wide range of financial information. Put another way, the hackers now have in their possession, everything they need to steal your identity and/or make your life a living hell. Be careful and check your credit report regularly for the next few months.