As featured in The Wall Street Journal, Money Magazine, and more!

TurboTax Fixed a Security Leak

This article was written by in Taxes. 15 comments.

This year, rather than going to a tax professional as I originally planned, I rolled my own return by using TurboTax Online. Apparently, there was a security leak last week. One woman was able to view tax returns from two other people with the same last night, presumably by tweaking a URL and guessing the password.

Well, this backdoor has been fixed, and the company claims that no other users have been affected.

Despite all the fear about identity theft through internet-related technology, I still believe SSL encryption is the safest way to fly. Low tech identity theft is much easier.

Updated March 21, 2011 and originally published April 11, 2007. If you enjoyed this article, subscribe to the RSS feed or receive daily emails. Follow @ConsumerismComm on Twitter and visit our Facebook page for more updates.

Email Email Print Print
About the author

Luke Landes is the founder of Consumerism Commentary. He has been blogging and writing for the internet since 1995 and has been building online communities since 1991. Find out more about Luke Landes and follow him on Twitter. View all articles by .

{ 15 comments… read them below or add one }

avatar Robin

I’m in agreement with you on the issue, plus I also am using TurboTax online to file this year. You may want to let your users know that if you have a State Farm insurance account, you can log in online to reach a link for free online TurboTax filing –federal and state, it appears. I discovered it by happenstance as I was checking my policies and so now I’m “rolling my own” too.

I paid $450 last year for a local accountant to do my taxes, and am just not feeling it this year.

I did see the story about the security flaw and lots of enraged user responses as I was looking for a tip in the TurboTax forums, but I felt it was somewhat of an overreaction as well. After all, it’s not like someone couldn’t get all the same information *plus* someone’s official signature and maybe even a free stamp for reuse just by intercepting paper tax forms on their way to the post office. If your own mailbox doesn’t place you at risk, some disgruntled or paid off postal worker might.

Granted, I do think companies which handle our financial, medical, and other personal information should pursue every possible measure to keep this information safe, so maybe the scolding and bad PR help that. Or maybe they just cause companies to spend more on their own PR and the same on upgrades, programmer training and server support. Food for thought.

I was just amused by all the huffy people skulking off to paper-file their taxes so it’d be secure.

Reply to this comment

avatar Hazzard

I worry about identity theft as well but the reality is that the highest risk place for having your identity stolen is offline. My company has lost multiple laptops containing employee information. I have credit monitoring paid for by my company because they had a laptop stolen with my information on it (since recovered).

I think one of the other areas of risk are companies that store my data unencrypted on their servers.

I believe they need to make it mandatory for people to be able to put freezes on their credit. It seems crazy to me that we aren’t allowed to do that permanently and with little effort.

Reply to this comment

avatar zorn

Absolute agree with Hazzard that anyone should easily be able to freeze their credit. Your elected representatives being toadies to the credit reporting agencies is the reason this hasn’t happened. It is unconscionable that this easy fix hasn’t been mandated except for a few states.

Reply to this comment

avatar Robin

Is anyone presently petitioning for this right? Sounds like a good idea–I’d be willing to support this.

Reply to this comment

avatar The Weary Consumer

I also used Turbo Tax this year to file my taxes. What amazes me is that people are always so worried about strangers getting their information on the Internet when what they really should be concerned about is their friends and relatives.

I worked in online banking for 7 years and in all that time we only had 5 cases (out of 12,000 users)where someone attempted or actually gained unauthorized access to a customer’s online banking account and in every case it was an ex-spouse, ex-girlfriend/ex-boyfriend, relative or roommate who was able to do it because they knew the customer’s social security number and had access to the customer’s paper statements.

We never had a case where a stranger hacked in and got someone’s information. It was always someone the customer knew and even in those situations the people who gained unauthorized access couldn’t do anything. The account numbers were masked and they couldn’t transfer funds to themselves and all they managed to do was see someone else’s account balance.

So I don’t worry too much about doing all my financial stuff online, but I do go to a whole lot of trouble to hide all my credit cards, bank statements, checkbooks, etc. whenever I have any of my sleazy relatives come by for a visit.

Reply to this comment

avatar edward

Turbo Tax Identity Theft is a problem. In March of this year an individual filed a tax return through turbo tax using my SSN and other data. How did they manage to get my employer EIN number in addition to my turbo tax filng code. How could this happen given all the security turbo tax promises/gauarantees with their product. No other credit has been applied for by the individual who filed the fraudulent return which tells me this is only a breach of customer information retained by turbo tax.i have called customer service twice regarding this issue.

Reply to this comment

avatar CrazyMad

There are no security measures. Someone filed our taxes through Turbo Tax this year and according to the VP, they got in on the first attempt. His response was that Turbo Tax has NEVER been hacked and that someone bought our passwords online. Maybe, but they just happened to buy our Turbo Tax password. Big Problem. We were NEVER notified that someone accessed our account, changed our information on this year’s filing by having access to 11 previous year’s returns. They accessed it once and tried again Mar 4th and we STILL weren’t notified and that is AFTER Turbo Tax KNEW that we were victims of identity theft and tax fraud through their website.

Reply to this comment

avatar Toby

SSL is just an ad-hoc tunneling protocol that encrypts traffic between two systems on the internet. SSL only protects data-in-motion. Data-at-rest, which may be stored in a file or database is not protected by SSL. Furthermore, SSL has nothing to do with this vulnerability and it doesn’t help one bit if the systems at either end are compromised.

Always remember that your data is unencrypted on your local system, so any spyware or virus that may be on your local system can see it when it leaves you system. At the same time, once the data travels through the SSL tunnel, it is unencrypted on the web server to which you sent your data. If that system is compromised, it can be siphoned off there as well. I’m not even going to go into problems with actually storing the data insecurely on the website or backend systems.

The problem here was simple URL manipulation which anyone with a web browser can do. Along with SQL injection and cross-site scripting, they are some of the most pervasive problems on the internet today. Literally millions of websites have these problems today. Plenty of financial institutions have had web application issues like these uncovered in the past and I would wager that plenty more problems will be uncovered in the future.

I’m not trying to “scare” anyone into not using the Internet for their financial dealings. In fact, I handle most of my finances online. But I felt that the quote, “SSL encryption is the safest way to fly” suggested that SSL was the be-all-end-all of being safe on the Internet. While SSL is important and I wouldn’t log into a financial institution or submit a CC number without it, there are plenty more threats out there that the readers should consider aside from whether the little padlock appears at the bottom of their browser or not.


Reply to this comment

avatar Robin

Great points!

Reply to this comment

avatar ThinkAgain

You might want to re-consider believing their assurances after reading the following:


Apparently this (or a similar) issue has been known for more than three months and not been fixed!

Reply to this comment

avatar mapgirl

heh. That’s why I’m mailing mine in. (j/k!) The one very clear case of ID theft I know about happened to one of my cousins. A friend of his in college stole his mail and opened a few credit cards in his name. Because he didn’t find out about it till it was too late, his credit was ruined. This happened about 10 years go, and I think most of the after-effects are over now, but it still sucked for a while till everything got resolved.

Low-tech vulnerability is where the most risk is, but you’ve got to be vigilant about everything.

Reply to this comment

avatar Jim in OKC

For those that are interested in keeping their financial data secure (static files), you can just do what I do. Triple zip the file (or your file compression algorithm of choice) with passwords…a different one for each zip level. Not impossible to break, but pretty tough for most.

Reply to this comment

avatar belle

Well this is all very interesting as I used Turbo Tax on-line for the first time, at the very time you all posted your comments above (April 2007) to do my 2006 taxes… And now as I just approached the deadline yesterday (April 15, 2008) to do my 2007 income taxes the same way on-line through Turbo Tax, I come to find someone had stolen my identity and filed my taxes for me back in January of this year. To top it off at the twelfth hour yesterday, I was dealing with the WORST Turbo tax customer service, on the phone for three hours straight (the majority of the time on hold), and then they finally told me to go mail my taxes, after it was already past five o’clock to make a local mailbox. I had to drive 60 miles, and I told the rep a million times if we wasted all this time to get no where and they tell me to go mail my taxes when it is already too late, that I would be even more upset. The guy assured me it wouldn’t happen, that the outcome they were seeking was solely in my favor, and they’d be able to get my taxes electronically to the IRS. It was all BS, they were just trying to find ways to not look responsible for the situation. Worst experience. What I have ahead of me know is even more daunting. I’d never use Turbo Tax again, and even more so because of the way their rep, Marshall Anderson, very rudely handled the situation. Someone has all my personal info because of their security issue.

Reply to this comment

avatar Teresa Hall

Hi all,
I have used Turbo Tax online for so many years that I have forgotten how to file a paper return but that is what I am having to do this year. I filed on January 31,2012 and was rejected by the IRS on the same day. I called the IRS the next day where they informed me I had already filed a return using Turbo Tax. I assured them I had not, that I had just got my W2 and all my other tax records and then they said they could not talk to me anymore. I called all the appropriate agencies to report my being a victim of Identity Theft and then finally called Turbo Tax. It took me 45 minutes of being on hold and then when I was talking to the agent, she was telling me to report to all the agencies the IRS had informed me about. The one thing everyone agreed upon was that I was going to have to file by mail. When I returned to Turbo Tax to print up my returns, they attempted to charge me 56.00 dollars and I just could not stomach that. Everyone does their returns on my computer so I have several Turbo Tax IDs and I invariably forget each year so I have the user ids emailed to me. The one id that has been exclusive to my husband and I did not show up on the email. This was January 15th and I tried to reset the account three different times and finally had to call TT customer support on January 29 and let them physically reset it. I just figured it was a glitch and paid no more attention to it until the dreaded news from the IRS. I called TT again today and told them that I felt they were at least as culpable as I was and I did not feel I should have to pay 56.00 just to print my forms. What was I paying them for? The theft of all my personal and financial records and the holdup of my tax return. They promptly sent me the free version of Deluxe and I am on my way to the mailbox now. But one interesting piece of information came out during our online chat and that was “we know about the problems and we are trying to fix them”. So let the buyer beware is all I can say. They have a serious breach in their security and so far I have had three friends have almost the same identical thing happen to them.

Reply to this comment

avatar Greg

I have been on the phone for over an hour and can’t get anyone at Turbo tax to talk to me directly. This problem is real! Someone I don’t know e-mailed me my complete state, federal and Turbotax recap at 10:00PM last night. Turbo Tax”s response was send us the e-mail to India and if it is our fault someone will call you.

Reply to this comment

Leave a Comment

Note: Use your name or a unique handle, not the name of a website or business. No deep links or business URLs are allowed. Spam, including promotional linking to a company website, will be deleted. By submitting your comment you are agreeing to these terms and conditions.

Notify me of followup comments via e-mail. You can also subscribe without commenting.