Security Glitch in TurboTax
April 6, S A N J O S E, Calif. -- A programming glitch in Intuit Inc.'sTurboTax software has posed a potential security problem for asmany as 150,000 users and may force them to change their passwords,the company said Thursday.
The glitch affected about 1 percent of the total number of usersof the tax preparation software and has since been fixed, saidIntuit spokeswoman Holly Anderson.
"No customer data has been compromised nor are customers' taxreturns or refunds affected in any way," she said.
The problem affected many of those who used a new feature thatallowed them to import their 1099 investment tax data directly fromtheir financial institutions to their TurboTax files.
During the import process, the program inadvertently — andquietly — saved onto the user's computer hard-drive the accountpassword that gave the user access to their investment information.For those using TurboTax via Intuit's online services, the accountpasswords erroneously were saved onto the company's servers.
The problem lasted from Jan. 31 to March 4, when the companyupgraded its software as a fix. However, some users could have beenaffected up through Wednesday, if they chose not to upgrade theirsoftware when prompted by the program.
A more permanent fix was put in place Thursday which forcedevery user to upgrade the software before importing investmentdata.
The fix automatically deletes the account password that wassaved in the user's computer.
The security risk, which the Mountain View-based financialsoftware maker characterized as "very remote," stems from ahacker getting into a user's computer or Intuit's servers, andobtaining the passwords to gain access to investment data.
The seven financial institutions that have partnered with Intuitto use the import feature were notifying their affectedshareholders of the password problem Thursday, Intuit said. Thecompanies are: Vanguard Group, Citigroup Investment Service'sCititrade Account, Fidelity Investments, Invesco Funds, SalomonSmith Barney, TD Waterhouse and T. Rowe Price.