IRS Was Not Hacked – Taxpayer Data Stolen For 100,000 People

Outsmart Malicious Hackers


So the IRS was not hacked – as many media outlets are claiming. Was taxpayer data stolen from IRS systems? Yes, did it involve any kind of hack (by any definition) – no.

There was no intrusion, there was some clever phishing, data slurping and brute forcing – of people who already had their data stolen it’s important to note.

IRS Was Not Hacked - Taxpayer Data Stolen For 100,000 People

It seems the biggest leak was of tax returns and the illegal access is to bolster the stolen identities of folks who had already been compromised by some other means.

The US Internal Revenue Service said on Tuesday that info including tax returns and income forms for some 100,000 people were illegally accessed this year.

The US tax agency believes a group collected a trove of information on the victims and then used that data to fill out the authentication forms for the IRS’s online “Get Transcript” feature, which allows taxpayers to access past tax records.

To say that the IRS itself was “hacked” – as some journos squawked today – is more than a stretch. The criminals did not compromise any IRS servers or exploit technical glitches in the Get Transcript feature. Rather, they gathered an obscene amount of personal data from their victims via other means, and then typed that data to the IRS site.

“Third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems,” the IRS told The Reg in an emailed statement.

“The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer.”

According to the IRS, the data theft operation ran from February through mid-May, when the activity was detected. In total, the IRS said 200,000 attempts to access personal information were made from “questionable” email accounts, about half of which resulted in successfully accessing the Get Transcript function.


The one thing that surprises me is that so many bogus requests were not detected earlier, as I’m pretty sure a lot of questions were answered wrongly and retried possibly multiple times.

Perhaps the attackers were very smart though and used different IP addresses, different browser agents, different submission timings etc. And not noticing 200,000 illicit requests from “questionable” e-mail addresses – that seems kinda lackadaisical.

It is not known how the personal information used to fill out the transcript requests was gathered, or from where.

“The matter is under continuing review by the Treasury Inspector General for Tax Administration and IRS offices, including Criminal Investigation,” the IRS said. “The IRS notes this issue does not involve its main computer system that handles tax filing submission; that system remains secure.”

The IRS has shut down the Get Transcript portal until further notice. The tax authority will also provide free credit monitoring services to those who were affected by the illegal access – and given the nature of the data required for access, they’ll need it.

When your Social Security Number, date of birth, marital state, home address, and enough personal background to answer a handful of verification questions has been taken by an identity thief, you probably have other things to worry about than whether they view your 1040EZ.

Again, we would advise those not affected not to panic over any sensationalist “IRS has been hacked!” headlines currently floating around news and social media. This was not a breach of any IRS systems, but rather what appears to be the result of some very extensive phishing/data harvesting from 100,000 unlucky individuals.

So yah to summarise it’s not a hack, but it does expose some weakness in the IRS Get Transcript service and due to that, they’ve disabled it at the moment.

But as the article mentions, if the attackers already had that much information on you (SSN, address, personal information) – them getting access to your historical tax returns is the least of your worries.

Source: The Register

Posted in: Legal Issues, Privacy


Latest Posts:


Terabytes Of US Military Social Media Spying S3 Data Exposed Terabytes Of US Military Social Media Spying S3 Data Exposed
Once again the old, default Amazon AWS S3 settings are catching people out, the US Military has left terabytes of social media spying S3 data exposed.
SNIFFlab - Create Your Own MITM Test Environment SNIFFlab – Create Your Own MITM Test Environment
SNIFFlab is a set of scripts in Python that enable you to create your own MITM test environment for packet sniffing through a WiFi access point.
Skype Log Viewer Download - View Logs on Windows Skype Log Viewer Download – View Logs on Windows
Skype Log Viewer allows you to download and view the Skype history and log files, on Windows, without actually downloading the Skype client itself.
Ethereum Parity Bug Destroys Over $250 Million In Tokens Ethereum Parity Bug Destroys Over $250 Million In Tokens
If you are into cryptocurrency or blockchain at all, you will have heard about the Ethereum Parity Bug that has basically binned $280 Million + ETH.
WPSeku - Black-Box Remote WordPress Security Scanner WPSeku – Black-Box Remote WordPress Security Scanner
WPSeku is a black box WordPress Security scanner that can be used to scan remote WordPress installations to find security issues and vulnerabilities.
Malaysia Telco Hack - Corporations Spill 46 Million Records Malaysia Telco Hack – Corporations Spill 46 Million Records
The Malaysia Telco Hack has been blowing up in the news with over 42 Million Records being leaked including IMEI numbers, SIM details and home addresses.


Comments are closed.