In two separate incidents, hackers recently leveraged passwords stolen in unrelated breaches to access 8,800 TaxSlayer accounts and more than 20 million accounts at Alibaba’s Taobao e-commerce site.
The online tax preparation service TaxSlayer last week began notifying approximately 8,800 customers that their personal information may have been inappropriately accessed (h/t SC Magazine).
“As a result of ongoing security reviews, TaxSlayer identified on January 13, 2016 that an unauthorized third party, whom we believe obtained your username and password from another online service, may have accessed your TaxSlayer account between 10/10/2015 and 12/21/2015,” TaxSlayer director of customer support Lisa Daniel wrote in a notification letter [PDF] to those affected.
The third party may have accessed any information included in the users’ tax returns or draft tax returns, including names, addresses, Social Security numbers, dependents’ Social Security numbers, and other tax information.
The passwords of all affected users have been reset, and all those affected are being offered one year free of credit monitoring services from ID Experts.
Tax preparation solutions provider TaxAct recently suffered a similar breach resulting from password reuse, which similarly exposed an undisclosed number of customers’ tax returns.
Separately, hackers in China used a database of 99 million usernames and passwords stolen from other websites to target accounts at Alibaba’s Taobao shopping site, and found that 20.59 million of the username and password combinations also worked for Taobao, Reuters reports.
They used the stolen accounts to raise other sellers’ rankings, and also sold stolen accounts for use in fraud. The attempts began in mid-October of 2015, and were discovered in November. Alibaba says the hackers have been caught.
Seculert CEO Richard Greene told eSecurity Planet by email that the Taobao breach demonstrates that in many cases, hackers unfortunately have time on their side. “It’s currently relatively easy — based on the evidence — to breach a network, study it, and expropriate whatever data you want,” he said. “It highlights yet again the need for effective post–infection detection.”
A Ping Identity survey of more than 1,000 U.S. enterprise employees recently found that almost half of respondents reuse passwords for work-related accounts, and almost two thirds do so for personal accounts. “No matter how good employees’ intentions are, this behavior poses a real security threat,” Ping Identity CEO Andre Durand said at the time.
A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.