[20047] in bugtraq
No subject found in mail header
daemon@ATHENA.MIT.EDU (Rajiv Aaron Manglani)
Fri Apr 6 00:52:10 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Message-ID: <p05010407b6f223009726@[10.96.0.12]>
Date: Thu, 5 Apr 2001 09:28:05 -0400
Reply-To: rajiv-noreply@imagineblue.com
From: Rajiv Aaron Manglani <rajiv-noreply@imagineblue.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
from http://www.turbotax.com/atr/update/
Information for Customers Who Imported Investment Tax Information Into TurboTax
There was a programming error in TurboTax that inadvertently saved
customer passwords. This applies only to customers who electronically
imported investment tax information from their financial
institution(s) and was permanently fixed. For desktop customers,
TurboTax inadvertently saved passwords to the hard drive of the
customer's personal computer. Although the password is still in their
personal possession, they may not know it's on their hard drive. For
TurboTax for the Web customers, passwords were inadvertently and
temporarily saved to Intuit's server, but have since been permanently
deleted.
No customer data has been compromised nor are customers' tax returns
or refunds affected in any way. However, as a precaution, we
recommend that the following customers who electronically imported
investment data into TurboTax change their passwords and update their
TurboTax software:
* TurboTax for Windows desktop software users who imported
investment tax information from their financial institution between
January 31 and March 4, 2001, and those who imported investment
information from March 4 to April 4, but did not update their
TurboTax software when they were prompted by the software. These
customers have had passwords saved on their personal computer's hard
drive. Although the password is still in their personal possession,
they may not know it's on their hard drive. What do I do?
* TurboTax for the Web users who imported investment tax
information from their financial institution before March 4. These
customers had their passwords saved on Intuit's servers. In keeping
with Intuit's policy of not collecting personally identifiable
information without the customer's knowledge, we have permanently
deleted the passwords. What do I do?
* TurboTax for the Web users who downloaded their tax file on
their personal computer's hard drive may also have had their password
saved on their hard drive. What do I do?
We recommend that you take the following actions as a precaution:
* Change your PIN or password at each financial institution from
which you imported investment information. Your financial
institution(s) can provide information on how to do this. Some
financial institutions are requiring their customers to change their
PIN or password.
* If applicable, update from within the TurboTax software
(One-Click Update) to automatically delete any PIN or password in the
tax file. This will not change anything in your tax return, even if
you have already filed. See below for more information on updating
TurboTax.
I Use TurboTax for the Desktop - What Do I Do?
We recommend that you take the following two actions (Note: TurboTax
for Mac users are not impacted):
* Change the PIN or password you use with your financial
institution(s). Your financial institution(s) can provide you with
information on how to do that.
* Update TurboTax to permanently delete your password from your
TurboTax tax file on your personal computer. Follow these steps:
1. Start TurboTax (reinstall the software if necessary)
2. Open your TurboTax tax file by selecting Open from the File menu
3. Select One-Click Updates from the Online menu
4. Follow the instructions on-screen to automatically update your
TurboTax software to the most recent version
5. Save your TurboTax tax file by selecting Save from the File menu
6. Repeat steps 2-5, for each tax return that imported investment
information, if you prepared more than one federal return
We recommend that you not delete your tax file. Deleting the file
means you will be unable to amend your return if necessary or
transfer your information to next year's TurboTax.
I Use TurboTax for the Web - What Do I Do?
We recommend that you take the following action:
* Change the PIN or password you use with your financial
institution(s). Your financial institution(s) can provide you with
information on how to do that.
* If you downloaded your tax file onto your personal computer's
hard drive (this is extremely uncommon), we recommend that you delete
that file. See instructions below. (Note: If you simply saved an
image of your tax return as a PDF file, your password has not been
saved on your hard drive.)
To delete your existing tax file from your hard drive:
1. Locate your TurboTax tax file on your desktop computer. (By
default, your tax file is saved to the folder WINDOWS\TEMPORARY
INTERNET FILES\CONTENT.IE5\KPS00EWZ and is named TAX2000[1].TAX.)
2. Delete the tax file.
If you would like to save another copy of the tax file that does not
include your PIN or password:
1. Open your browser, go to www.turbotax.com, select TurboTax for
the Web and log-in to your existing tax return.
2. Select the tab titled "9. Finish" at the top of the screen.
3. Select the Download Data File option at the bottom of the
Interview Navigator.
4. Click Save My Tax Data and follow the directions on-screen. This
will not change anything in your tax return, even if you have already
filed.
Frequently Asked Questions
Did this affect my tax return or refund in any way?
No.
How many customers were affected?
We estimate that approximately 1 percent of TurboTax users were affected.
I used TurboTax desktop software -- where has this information been
saved on my computer?
The information may have been saved in a tax file that resides on the
hard drive of the personal computer you used to prepare your taxes.
As you know, your tax file contains a considerable amount of
sensitive personal, financial and tax information, which you should
always safeguard.
I used TurboTax for the Web -- What has Intuit done to eliminate PINs
or passwords saved on Intuit's servers?
In keeping with Intuit's policy of not collecting personally
identifiable information without the customer's knowledge, we have
permanently deleted the passwords.
What about TurboTax for the Web customers who downloaded their tax
file on their personal computer's hard drive? (This is extremely
uncommon)
A small number of TurboTax for the Web customers who downloaded their
tax file on their personal computer's hard drive may also have had
their passwords saved on their hard drive. In addition to changing
the PIN or password at each of the financial institution(s) from
which they imported investment information, we recommend these
customers also delete the tax file they saved and download a new one
following the instructions above. If you simply saved an image of
your tax return as a PDF file, your password has not been saved on
your hard drive.
How do I change my PIN or password?
Contact your financial institution(s) for information.
Does this apply if I imported information from QuickenŽ or other
personal finance products?
No.
What if several people used the TurboTax software to complete their returns?
Each person who used the software, if they meet the earlier criteria,
may have had their passwords saved on their personal computer's hard
drive.
What investment accounts does this apply to?
TurboTax customers importing tax-related information from the
following institutions may have been affected: Citicorp Investment
Services' Cititrade accounts, Fidelity Investments, INVESCO Funds,
Salomon Smith Barney, TD Waterhouse, T. Rowe Price and The Vanguard
Group.
Did my password get attached to the return that was electronically
filed with the IRS or state revenue agency?
No.
Is it possible that I may not be affected by this at all?
We estimate that approximately 1 percent of TurboTax customers have
been affected. Only the following customers, all of whom imported
investment tax information from their financial institution(s), have
been affected:
* TurboTax desktop for Windows software users who imported
investment tax information from their financial institution(s)
between January 31 and March 4, 2001, and those who imported
investment information from March 4 to April 4, but did not update
their TurboTax software when they were prompted by the software.
These customers have had passwords saved on their personal computer's
hard drive. Although the password is still in their personal
possession, they may not know it's on their hard drive.
* TurboTax for the Web users who imported investment tax
information from their financial institution before March 4. These
customers had their passwords saved on Intuit's servers. In keeping
with Intuit's policy of not collecting personally identifiable
information without the customer's knowledge, we have permanently
deleted the passwords.
* TurboTax for the Web users who downloaded their tax file on
their personal computer's hard drive may also have had their password
saved on their hard drive.
Where can I get more information?
We have a dedicated toll-free phone number for customers who have any
questions or concerns. That toll-free phone number is: 1-800-224-0933
and is available from 9 a.m. to 8 p.m., EDT, Mondays through Fridays.
It also will be available from 9 a.m. to 8 p.m., EDT, on Saturday and
Sunday, April 7-8.
