TurboTax Security Glitch May Force 150,000 Investors to Alter Passwords

A security glitch in Intuit’s TurboTax software may force up to 150,000 users to change the passwords they use to gain access to their brokerage and mutual fund accounts, the company said Thursday.

The problem affected about 1% of all users of the tax-preparation software and has been fixed, said Intuit spokeswoman Holly Anderson.

“No customer data has been compromised nor are customers’ tax returns or refunds affected in any way,” Anderson said.

The problem affected those who used a new TurboTax feature, called Automated Tax Return, that allowed them to import investment-tax data directly from their financial institutions to their TurboTax files.

During the import process, the program mistakenly captured and saved the account passwords that gave users access to their financial institution accounts. Intuit said it deleted all the captured passwords and created a software patch after the problem was discovered last month. A more permanent fix was completed Wednesday.

The security risk, which the Mountain View, Calif.-based financial software maker characterized as “very remote,” stems from a hacker possibly getting into a user’s computer or Intuit’s servers and obtaining the passwords to gain access to investment data.

It’s not the first time Intuit has faced an embarrassing security breach. Last year, the company said some of its customers’ financial data leaked from its Quicken.com loan Web site to an advertiser. Intuit said that problem was quickly fixed and that none of the data, which came from a loan calculator, could be traced to individual users.

The seven financial institutions that have partnered with Intuit to use the import feature were notifying their affected shareholders of the password problem Thursday, Intuit said. The companies are Vanguard Group, Citigroup Investment Service’s Cititrade Account, Fidelity Investments, Invesco Funds, Salomon Smith Barney, TD Waterhouse and T. Rowe Price.

Some of the institutions recommended that their shareholders change account passwords as a precaution. Others, including Vanguard, took a more-extreme measure and disabled the passwords of shareholders who imported the tax data, forcing them to set new ones.