IRS Was Not Hacked – Taxpayer Data Stolen For 100,000 People


So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no.

There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data stolen it’s important to note.

IRS Was Not Hacked - Taxpayer Data Stolen For 100,000 People

It seems the biggest leak was of tax returns and the illegal access is to bolster the stolen identities of folks who had already been compromised by some other means.

The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year.

The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS’s online “Get Transcript” feature, which allows taxpayers to access past tax records.

To say that the IRS itself was “hacked” – as some journos squawked today – is more than a stretch. The criminals did not compromise any IRS servers or exploit technical glitches in the Get Transcript feature. Rather, they gathered an obscene amount of personal data from their victims via other means, and then typed that data to the IRS site.

“Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems,” the IRS told The Reg in an emailed statement.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”

According to the IRS, the data theft operation ran from February through mid-May, when the activity was detected. In total, the IRS said 200,000 attempts to access personal information were made from “questionable” email accounts, about half of which resulted in successfully accessing the Get Transcript function.


The one thing that surprises me is that so many bogus requests were not detected earlier, as I’m pretty sure a lot of questions were answered wrongly and retried possibly multiple times.

Perhaps the attackers were very smart though and used different IP addresses, different browser agents, different submission timings etc. And not noticing 200,000 illicit requests from “questionable” e-mail addresses – that seems kinda lackadaisical.

It is not known how the personal information used to fill out the transcript requests was gathered, or from where.

“The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation,” the IRS said. “The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.”

The IRS has shut down the Get Transcript portal until further notice. The tax authority will also provide free credit monitoring services to those who were affected by the illegal access – and given the nature of the data required for access, they’ll need it.

When your Social Security Number, date of birth, marital state, home address, and enough personal background to answer a handful of verification questions has been taken by an identity thief, you probably have other things to worry about than whether they view your 1040EZ.

Again, we would advise those not affected not to panic over any sensationalist “IRS has been hacked!” headlines currently floating around news and social media. This was not a breach of any IRS systems, but rather what appears to be the result of some very extensive phishing/data harvesting from 100,000 unlucky individuals.

So yah to summarise it’s not a hack, but it does expose some weakness in the IRS Get Transcript service and due to that, they’ve disabled it at the moment.

But as the article mentions, if the attackers already had that much information on you (SSN, address, personal information) – them getting access to your historical tax returns is the least of your worries.

Source: The Register

Posted in: Legal Issues, Privacy


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


Comments are closed.