I wasn't too concerned when BBI was recently hacked, since the password I used to log into BBI was an extremely old one, and none of my other online accounts still used that password. Or so I thought.
I completely forgot about my Turbotax account, which used the same ID and password as BBI.
Today, I discovered that somebody had logged into my Turbotax account, and filed my federal taxes for me. Every number entered into my tax return was bogus, with the ultimate goal of having a $514 refund direct deposited into a mystery bank account.
I'm not 100% certain this was due to the BBI breach, but all signs suggest that it was. The Turbotax rep informed that they just had a 3rd party security firm perform a complete analysis of their infrastructure just 2-3 weeks ago, who concluded that Turbotax had not been compromised in any way.
I just wanted to give you guys a heads up, in case this was related to the BBI breach. If you use that old BBI password anywhere else, make sure you change it, just to be on the safe side.
Holy mackerel
I thought that would have just been a common sense move. Sorry to hear about what happened but I just don't understand why you'd use your TurboTax password anywhere else.
Thanks for the heads up...what a fucking pain in the ass now.
Never even thought TurboTax would be a concern.
Everything recent has different usernames and credentials, outside of some older gaming platforms that I still might use, but those are all configured for 2-factor authentication and all have varying passwords.
I've actually got some background in security. This was a huge (and dumb) oversight on my part.
I'm not here to point fingers. I'm not here bitching. I'm simply here to give you dicks a heads up, in case anybody dismissed the potential impact of the recent breach here.
I'm on hold with TurboTax right now.
I should change my password now to the same as my BBI password (which I never changed b/c this is the only site where I use that password).
the bigger issue is that now someone has the social sec numbers for my entire family.
Hope things work out for both of you guys. Shitty.
lol, I'm on their website right now also. Multi-tasking!
that way you can see any new accounts opened with that SSN.
Lifelock will do it too but in Mass the credit reporting agencies need to provide you an annual credit report free of charge, not sure about your state.
that way you can see any new accounts opened with that SSN.
Lifelock will do it too but in Mass the credit reporting agencies need to provide you an annual credit report free of charge, not sure about your state.
Federal law requires each of the credit agencies to provide you with one free report per year. Here is the site to get them:
Annual Credit Report - ( New Window )
yeah, it's not like e-mail addresses were part of the hacked information that was posted in pastebin along with the passwords
Quote:
it but maybe consider lifelock?
lol, I'm on their website right now also. Multi-tasking!
That royally sucks man. I'm sorry to hear that. I listen to consumer advocate Clark Howard a lot and he seems to think credit monitoring software like Lifelock are essentially useless. As Steve in KY stated, go to the three major credit bureaus and freeze your credit. MUCH more effective for protection purposes.
Quote:
to hear about that, but why would TurboTax have the same user id that you use on BBI?
yeah, it's not like e-mail addresses were part of the hacked information that was posted in pastebin along with the passwords
exactly, my email that I used on here was compromised and locked out by yahoo after the BBI hack. Had to jump through hoops to prove that I am me so they would unlock it
User ID = 12345
Password = password.
But I quess I'll have to change them now.
User ID = userid
Password = 12345.
I have a thousand passwords for different things. I use my password for BBI and Turbo Tax the least out of any of them.
I never thought that a football website would get hacked and steal my password and use that as a link to submit a fraudulent tax return. Fun stuff, right? Yeah, read through my sarcasm.
Oh yeah...after almost two hours on the phone with TurboTax (1 hour and 45 minutes of that was on hold)...they can do absolutely nothing. They basically read from a website that my wife found in a 5 minute google search. This shit will probably haunt me for years. Plus, now I need to spend hundreds of dollars every year for god knows how long just to protect my family's identity through one of those lifelock type of services.
Awesome night.
You can find this form here:
http://www.irs.gov/pub/irs-pdf/f14039.pdf
I also need to file a complaint with the FTC:
http://www.consumer.ftc.gov/features/feature-0014-identity-theft
If you prefer a phone call:
FTC Identity Theft Hotline at 1-877-438-4338 or TTY 1-866-653-4261
Here are some steps from the IRS on what to do if your SSN is compromised:
http://www.irs.gov/uac/Taxpayer-Guide-to-Identity-Theft
Turbotax also offered me 2 free years of fraud protection with Experian, which I accepted. They are also arranging for a CPA to assist with my taxes this year, free of charge. I didn't raise any fuss at all during my call, so these were simply good will gestures. I hope you received the same offers.
I guess the thing that dawned on me is how shitty the security at TurboTax is. I mean, they've got all of your personal data on file and all you need is a simple password to get in? It's ten times harder to log in to pay my Home Depot bill. And once you are in, you can't see any personal info anyway. Fucking TurboTax.
Ned, don't believe so. At least what was posted on pastebin only contained the current password
Ned...the hacker took a snap shot of the e-mails and BBI passwords at the time of the hack. Old passwords are not stored.
It also looks like more than half the e-mail addresses we had on file were actually so old that they were no longer valid.
Walt in MD : 9:16 pm : link : reply
And your car got stolen? You wore a short dress and got molested?
The password is, haveaseatrightthere..
Ned...the hacker took a snap shot of the e-mails and BBI passwords at the time of the hack. Old passwords are not stored.
It also looks like more than half the e-mail addresses we had on file were actually so old that they were no longer valid.
What does it matter anyway if he used his handle? Passwords weren't public and the hacker got those anyway. Many email addresses were hidden but the hacker got those anyway. Might as well take my handle too. Shit happened and people got fucked. What else is there to do but move on.
Quote:
does anyone know if old passwords were seen by the hackers? (formerly Ned Higgins) Thankfully I changed my password a few months ago to an obscure one that was unique to BBI.
Ned, don't believe so. At least what was posted on pastebin only contained the current password
Thanks Mook. Horror stories like this make me incredibly paranoid. Thankfully I was able to file my taxes but after reading this I changed my password on my tax site and my yahoo email too.
Everything recent has different usernames and credentials, outside of some older gaming platforms that I still might use, but those are all configured for 2-factor authentication and all have varying passwords.
I've actually got some background in security. This was a huge (and dumb) oversight on my part.
I'm not here to point fingers. I'm not here bitching. I'm simply here to give you dicks a heads up, in case anybody dismissed the potential impact of the recent breach here.
I didn't mean to be a prick was just joking...hope it all works out..
The problem is (and the reason you will need the Advocate's help) is that the IRS is so backlogged with ID theft cases that it can take them over a year to process your actual return, bc the initial fraudulent return is treated as original and yours as the amended one.
Good luck getting this straightened out. The only account password i forgot to change was my Earthlink account and that got hacked.
The feds have to make sure tax refunds are not sent to accounts where the receiving person cannot be identified. It's not easy but it's something that has to be done.
I've heard about this from several people.
This was absolutely the result of the hacking issue with BBI. TurboTax wasn't hacked. These jerkoffs find vulnerable websites to steal info from (user ids and passwords) and use that info for their identity theft purposes. If they are lucky, they find a crack in the armor, as was the case with me and others here on BBI. The only reason they were able to access my TurboTax is because the stole my password from BBI and it was the one password I didn't think to change.
After finding that it wasn't TurboTax's fault, they did absolutely nothing. It still boggles my mind how awful their security is. TurboTax has ALL my personal info and all you need is a simple password to access it. Every single merchandising website masks credit card numbers...why wouldn't they do the same with soc sec numbers and other personal data? Why not make it more difficult to access?
Quote:
stop taking returns for a while especially from Turbo Tax (Georgia was one of them), because of an issue with people filling false tax returns a few weeks back? This may not have been an issue with BBI.
This was absolutely the result of the hacking issue with BBI. TurboTax wasn't hacked. These jerkoffs find vulnerable websites to steal info from (user ids and passwords) and use that info for their identity theft purposes. If they are lucky, they find a crack in the armor, as was the case with me and others here on BBI. The only reason they were able to access my TurboTax is because the stole my password from BBI and it was the one password I didn't think to change.
After finding that it wasn't TurboTax's fault, they did absolutely nothing. It still boggles my mind how awful their security is. TurboTax has ALL my personal info and all you need is a simple password to access it. Every single merchandising website masks credit card numbers...why wouldn't they do the same with soc sec numbers and other personal data? Why not make it more difficult to access?
I just did a quick google search are all these people on BBI using Turbo Tax.
Google search of turbo tax hacked - ( New Window )