IRS Was Not Hacked – Taxpayer Data Stolen For 100,000 People

The New Acunetix V12 Engine


So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no.

There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data stolen it’s important to note.

IRS Was Not Hacked - Taxpayer Data Stolen For 100,000 People

It seems the biggest leak was of tax returns and the illegal access is to bolster the stolen identities of folks who had already been compromised by some other means.

The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year.

The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS’s online “Get Transcript” feature, which allows taxpayers to access past tax records.

To say that the IRS itself was “hacked” – as some journos squawked today – is more than a stretch. The criminals did not compromise any IRS servers or exploit technical glitches in the Get Transcript feature. Rather, they gathered an obscene amount of personal data from their victims via other means, and then typed that data to the IRS site.

“Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems,” the IRS told The Reg in an emailed statement.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”

According to the IRS, the data theft operation ran from February through mid-May, when the activity was detected. In total, the IRS said 200,000 attempts to access personal information were made from “questionable” email accounts, about half of which resulted in successfully accessing the Get Transcript function.


The one thing that surprises me is that so many bogus requests were not detected earlier, as I’m pretty sure a lot of questions were answered wrongly and retried possibly multiple times.

Perhaps the attackers were very smart though and used different IP addresses, different browser agents, different submission timings etc. And not noticing 200,000 illicit requests from “questionable” e-mail addresses – that seems kinda lackadaisical.

It is not known how the personal information used to fill out the transcript requests was gathered, or from where.

“The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation,” the IRS said. “The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.”

The IRS has shut down the Get Transcript portal until further notice. The tax authority will also provide free credit monitoring services to those who were affected by the illegal access – and given the nature of the data required for access, they’ll need it.

When your Social Security Number, date of birth, marital state, home address, and enough personal background to answer a handful of verification questions has been taken by an identity thief, you probably have other things to worry about than whether they view your 1040EZ.

Again, we would advise those not affected not to panic over any sensationalist “IRS has been hacked!” headlines currently floating around news and social media. This was not a breach of any IRS systems, but rather what appears to be the result of some very extensive phishing/data harvesting from 100,000 unlucky individuals.

So yah to summarise it’s not a hack, but it does expose some weakness in the IRS Get Transcript service and due to that, they’ve disabled it at the moment.

But as the article mentions, if the attackers already had that much information on you (SSN, address, personal information) – them getting access to your historical tax returns is the least of your worries.

Source: The Register

Posted in: Legal Issues, Privacy


Latest Posts:


Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.
Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.


Comments are closed.