Avoiding tax refund identity theft this year is getting harder by the minute. The latest challenge is a data breach at TaxAct, a major online tax preparation service, which will cause huge headaches for some of its users. The breach might finally convince folks they must stop using the same login credentials on multiple websites, too.
On January 15, TaxAct notified over 9,400 users that their accounts have been temporarily frozen. An investigation revealed that 450 users had their accounts accessed and another 9,000 files showed suspicious activity.
Yet the company does not believe its systems were directly compromised. Instead, TaxAct executives believe hackers tried user name/password combinations obtained elsewhere to view client tax returns.
The data contained in TaxAct files is comprehensive.
“In addition to your username and password, we have reviewed our website logs for account activity after this attempted access and found that the tax return(s) stored in your account may have been opened or printed. These documents may contain your name and Social Security number, and may also contain your address, driver’s license number, and bank account information,” the company said in its notification.
TaxAct was founded in 1998 and offers a variety of free services plus upgrades for a fee. It handled over 5 million returns last year. The hacker intrusions occurred between November 10 and December 4, 2015, according to the firm’s public statement.
To reactivate locked accounts, users will have to re-verify their identity. The letter outlines necessary steps to make sure that hackers didn’t change banking info for direct deposit also. That is followed by an all-too-common reminder.
“In addition, to prevent unauthorized access to your other online accounts (those separate from any TaxAct account(s)), you should immediately change your password for any other service where you use the same username and password,” the communication states.
A July 2015 survey by PasswordBoss revealed that 59% of all users still reuse combinations over and over again. That percentage has actually increased since 2013 when an earlier study by Ofcom, a United Kingdom’s watchdog group, put the figure at 55%. PasswordBoss also found that 54% of all survey participants acknowledged they needed to change their password habits. Perhaps users of TaxAct will finally start listening.