In response to today’s news reports that Intuit has informed customers that their tax records were exposed through a breach and their account has been deactivated, an expert with STEALTHbits commented below.
Adam Laub, SVP Product Management at STEALTHbits Technologies:
Human nature is the fuel within the Credential Stuffing machine. If your email address is your typical username and you use the same password across different sites, you’re ripe for the picking.
Credential Stuffing ceases to be a viable attack technique when users leverage different, unique passwords across the various sites and services they log into. However, our innate desire to remember as little information as possible in an age where all the information we may ever want to recall is literally at our fingertips continues to drive the use of the same username and password combination to everything we access, from our bank accounts and medical records to of course our tax returns.
With just an ounce more effort and the use of any password management tool, this particular attack technique could become completely useless. My guess is that we’ll continue to see this for quite some time.