I wasn't too concerned when BBI was recently hacked, since the password I used to log into BBI was an extremely old one, and none of my other online accounts still used that password. Or so I thought.
I completely forgot about my Turbotax account, which used the same ID and password as BBI.
Today, I discovered that somebody had logged into my Turbotax account, and filed my federal taxes for me. Every number entered into my tax return was bogus, with the ultimate goal of having a $514 refund direct deposited into a mystery bank account.
I'm not 100% certain this was due to the BBI breach, but all signs suggest that it was. The Turbotax rep informed that they just had a 3rd party security firm perform a complete analysis of their infrastructure just 2-3 weeks ago, who concluded that Turbotax had not been compromised in any way.
I just wanted to give you guys a heads up, in case this was related to the BBI breach. If you use that old BBI password anywhere else, make sure you change it, just to be on the safe side.
Quote:
In comment 12153497 Fred in Atlanta said:
Quote:
stop taking returns for a while especially from Turbo Tax (Georgia was one of them), because of an issue with people filling false tax returns a few weeks back? This may not have been an issue with BBI.
This was absolutely the result of the hacking issue with BBI. TurboTax wasn't hacked. These jerkoffs find vulnerable websites to steal info from (user ids and passwords) and use that info for their identity theft purposes. If they are lucky, they find a crack in the armor, as was the case with me and others here on BBI. The only reason they were able to access my TurboTax is because the stole my password from BBI and it was the one password I didn't think to change.
After finding that it wasn't TurboTax's fault, they did absolutely nothing. It still boggles my mind how awful their security is. TurboTax has ALL my personal info and all you need is a simple password to access it. Every single merchandising website masks credit card numbers...why wouldn't they do the same with soc sec numbers and other personal data? Why not make it more difficult to access?
I just did a quick google search are all these people on BBI using Turbo Tax. Google search of turbo tax hacked - ( New Window )
Fred, I really don't understand your point. No, I don't think that all the people affected by the TurboTax issue are on BBI. Obviously. If that was your point then it was a stupid one.
But, yes, I firmly believe that my TurboTax was hacked as a direct result of the BBI breach. Are you really trying to argue otherwise? I really hope you are not that dense.
User ID = 12345
Password = password.
But I quess I'll have to change them now.
User ID = userid
Password = 12345.
You fool! You didn't even change your password!
My suggestion: 54321
You're welcome.
It has my credit card linked to it, and fortunately it is not the same as my bbi info.
I don't understand what info was stolen that allowed someone to file a return for you - to my knowledge, turbo tax is software package where your return, and personal info is stored on your desktop NOT by turbo tax - it sounds like spyware or some other hack on your machine rather than turbo tax. Not saying anything about whether it was related to BBI, just trying to understand how your personal info is stored by turbo tax.
It has my credit card linked to it, and fortunately it is not the same as my bbi info.
I don't understand what info was stolen that allowed someone to file a return for you - to my knowledge, turbo tax is software package where your return, and personal info is stored on your desktop NOT by turbo tax - it sounds like spyware or some other hack on your machine rather than turbo tax. Not saying anything about whether it was related to BBI, just trying to understand how your personal info is stored by turbo tax.
No, you have an account with Intuit.
So which one of fekers trying to log into my gmail account from SE florida?
People who are bashing a guy that came here to help others suck FYI and I hope your Karma gets you. When it does I hope nobody tries and make you feel bad for posting information that may affect others. It looks like at least one other guy was affected by this also. I respect those that came back and at least apologized though.
Best of luck to whoever got screwed in this whole thing. Hopefully it resolves.
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Maybe...maybe not. But coincidence is a funny thing. There are a number of people on this thread alone that were hacked in some fashion after the BBI breach. Two of us on TurboTax.
But, just coincidence, right?
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Except that has nothing to do with what happened here. The article says that they need your SSN and they create a fraudulent account. The two people here have legitimate accounts that were hacked. Big difference.
I have a feeling that there will be lawyers having conversations over this when all is said and done.
Quote:
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Maybe...maybe not. But coincidence is a funny thing. There are a number of people on this thread alone that were hacked in some fashion after the BBI breach. Two of us on TurboTax.
But, just coincidence, right?
Well coincidence is usually the end product of multiple factors. Sorry, but i am a novice at IT stuff and i even knew not to use a password for a damn football site as one for my important personal stuff. Sorry this happened to you but much of the blame lies with yourself
Quote:
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Except that has nothing to do with what happened here. The article says that they need your SSN and they create a fraudulent account. The two people here have legitimate accounts that were hacked. Big difference.
I have a feeling that there will be lawyers having conversations over this when all is said and done.
They don't get someones SSI from BBI.
Quote:
In comment 12154630 montanagiant said:
Quote:
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Except that has nothing to do with what happened here. The article says that they need your SSN and they create a fraudulent account. The two people here have legitimate accounts that were hacked. Big difference.
I have a feeling that there will be lawyers having conversations over this when all is said and done.
They don't get someones SSI from BBI.
That's not what he's saying...
Quote:
In comment 12154630 montanagiant said:
Quote:
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Maybe...maybe not. But coincidence is a funny thing. There are a number of people on this thread alone that were hacked in some fashion after the BBI breach. Two of us on TurboTax.
But, just coincidence, right?
Well coincidence is usually the end product of multiple factors. Sorry, but i am a novice at IT stuff and i even knew not to use a password for a damn football site as one for my important personal stuff. Sorry this happened to you but much of the blame lies with yourself
Ahhh...and there it is...the asshole comes out. What's the matter, did I offend your precious BBI?
My only mistake was trusting that a "damn football site" would not be so careless with their members data. Sorry your a dickhead but much of that is on yourself.
Quote:
In comment 12154677 PhiPsi125 said:
Quote:
In comment 12154630 montanagiant said:
Quote:
Quote:
Robert Lee and Shane MacDougall, both former security executives at Intuit, spoke with KrebsOnSecurity.com about the company's dubious practices: Identity thieves have been creating fake accounts in droves to cash in on strangers' legitimate refunds. It's a simple maneuver: plug in someone else's Social Security number and other tax identification, then go through the same TurboTax steps as normal—only they bank the refund deposit, not you:
Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company's service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns.
"If I sign up for an account and file tax refund requests on 100 people who are not me, it's obviously fraud," Lee said in an interview with KrebsOnSecurity. "We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts."
It's a near perfect online scam: with hacked social security numbers and other personally identifying fragments flooding the web, fraudsters need only create a free TurboTax account to siphon away someone else's refund. And because TurboTax allows filers to pay for the price of the software with their refund before they actually receive it, there's no need to submit or falsify a credit card number—it's free money for both Intuit and crooks.
Even more disturbingly, MacDougall says he was brushed off by management when he told them their company was providing an extremely easy and effective way to steal from the very people it purports to help:
"Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn't do anything that would 'hurt the numbers'," MacDougall wrote in his SEC filing. "Complainant repeatedly offered solutions to help stop the fraud, but was ignored."
link - ( New Window )
Maybe...maybe not. But coincidence is a funny thing. There are a number of people on this thread alone that were hacked in some fashion after the BBI breach. Two of us on TurboTax.
But, just coincidence, right?
Well coincidence is usually the end product of multiple factors. Sorry, but i am a novice at IT stuff and i even knew not to use a password for a damn football site as one for my important personal stuff. Sorry this happened to you but much of the blame lies with yourself
Ahhh...and there it is...the asshole comes out. What's the matter, did I offend your precious BBI?
My only mistake was trusting that a "damn football site" would not be so careless with their members data. Sorry your a dickhead but much of that is on yourself.
Actually you started the shitty aspect of the conversation with being snide at the end of your first response. Look, I just posted info you should know and you got defensive about it and a bit shitty, i just played off of that in my last response. I hopre this all ends up well for you but IMO saying you "trusted a football site" with info that is vital, really is pretty ignorant. Especially given the fact of what you do for a living. I hope you get it cleared up but the blame spreads well across all parties on this.
Listen, I really don't care to sit here and argue this with BBI drones like you. I'm knee deep in shit, pissed off, and the last thing i really want to hear is the BBI groupies defend BBI and tell me I'm ignorant and its all my fault.
Its probably best if this thread is just deleted.
I hope the fact that Turbo Tax abuses this shit helps you rectify this, but being what you call a "BBI Drone" has nothing to do with it. Being ignorant about the internet does though