April 6, S A N J O S E, Calif., 2001 -- A programming glitch in Intuit Inc.'s TurboTax software has posed a potential security problem for as many as 150,000 users and may force them to change their passwords, the company said Thursday.
The glitch affected about 1 percent of the total number of users of the tax preparation software and has since been fixed, said Intuit spokeswoman Holly Anderson.
"No customer data has been compromised nor are customers' tax returns or refunds affected in any way," she said.
The problem affected many of those who used a new feature that allowed them to import their 1099 investment tax data directly from their financial institutions to their TurboTax files.
During the import process, the program inadvertently — and quietly — saved onto the user's computer hard-drive the account password that gave the user access to their investment information. For those using TurboTax via Intuit's online services, the account passwords erroneously were saved onto the company's servers.
The problem lasted from Jan. 31 to March 4, when the company upgraded its software as a fix. However, some users could have been affected up through Wednesday, if they chose not to upgrade their software when prompted by the program.
A more permanent fix was put in place Thursday which forced every user to upgrade the software before importing investment data.
The fix automatically deletes the account password that was saved in the user's computer.
The security risk, which the Mountain View-based financial software maker characterized as "very remote," stems from a hacker getting into a user's computer or Intuit's servers, and obtaining the passwords to gain access to investment data.
The seven financial institutions that have partnered with Intuit to use the import feature were notifying their affected shareholders of the password problem Thursday, Intuit said. The companies are: Vanguard Group, Citigroup Investment Service's Cititrade Account, Fidelity Investments, Invesco Funds, Salomon Smith Barney, TD Waterhouse and T. Rowe Price.
Some of the institutions recommended their shareholders change their account passwords as a precaution. Others, including Vanguard, took a more extreme measure and disabled the passwords of shareholders who imported the tax data, forcing them to set new ones.
"We'd rather have someone upset at us for not being able to get into their account than to have someone intrude their account," said Brian Mattes, a Vanguard principal.
Intuit said it discovered the problem in early March and deleted the passwords from its servers. By March 4, it issued a software patch that deleted the password from the user's computer if the user chose to update their TurboTax software.
The more permanent fix was completed Wednesday so users would have to get the software upgrade before importing investment data.
In addition to TurboTax, Intuit makes the Quicken and QuickBook accounting software.