TurboTax is Secured Against the “Heartbleed” Internet Vulnerability

TT_Logo_Horz_Endorse_RGB_Pos

Updated 4/11/14 (12:05 pm PST)  The article below has been updated with the latest recent information from our engineers.

A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the Internet,  called Heartbleed.  TurboTax engineers have verified TurboTax is not affected by “Heartbleed.”  You can be confident that TurboTax websites are secure and your personal and financial information is safe. You can file your tax return today with confidence.

Safeguarding our customers’ data is our top priority. We continuously monitor our systems to improve our security capabilities in service to our customers.  Even though TurboTax was not vulnerable, we have taken additional security precautions to protect the security and privacy of customers’ personal and financial information.

The IRS continues to accept tax returns as normal and has stated that their systems continue operating and are not affected by this bug. The IRS advises taxpayers to continue filing their tax returns as they normally would in advance of the April 15 tax deadline.

Frequently Asked Questions

Here are answers to questions you may have:
Should I file today? Or wait?
TurboTax is safe to use and you can file today. There’s no reason to wait. Our engineers have verified TurboTax is not affected by “Heartbleed.”

Do I need to change my password?
You can update your password at any time, although we are not proactively advising you to do so.

Online tools/websites show that your sites are failing the security grade, so are you OK?
Our engineers have verified TurboTax is not affected by “Heartbleed”. Even though we were not vulnerable, and had no need to do so, we decided to rotate the certificates on our key tax sites to help address some of your concerns and clear up the confusion. That effort has been completed.

We have changed the certificates on turbotax.intuit.com (the front door to all of our turbotax applications) and accounts.intuit.com (where we manage your usernames/passwords).  If you visit those sites and examine the details of the certificate in your browser, you will see issue dates of April 9th, 2014 – which indicates that the certificates are brand new.

Can you confirm that you were never vulnerable to begin with?
We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed.

 

Comments (74) Leave your comment

  1. I used turbotax.ca and I used my brand new credit card to do my taxes in early march. No other internet site has my credit information. Last week someone charged up alot of stuff luckily my bank caught it.

  2. I used turbo tax last year, for the first time. This year, I went to file our taxes through Turbo Tax, only to have them tell me our taxes had be already been filed three weeks earlier. I called, and sure enough, someone had used my husband’s SS# to file taxes in his name, using his phone number (except for changing the last digit) and having it sent to a home in Fullerton, CA. We have lived all our lives in Louisiana, and have always filed married/jointly. This person filed single. The fact that it was a different state, different filing status, WAY different email address (which, in itself indicates suspicion because it was so strange: govatyjutisu@hotmail.com . . . REALLY???)
    NONE of that raised a flag with Turbo Tax. This was obviously a scam, as our refund was mailed to a house that is up for sale in CA. I will NEVER use Turbo Tax again. I will only use the IRS site, using fillable forms, printing them out and mailing them in. I’m done and totally disgusted by this…not to mention paranoid.

  3. I filed through Turbo Tax software i purchased, I live in Ontario. I chose the option to have turbotax netfile my return to CRA. Even though turbo tax is saying they have not been affected, is it still possible that my info could have been compromised with the CRA’s website or Netfile?

  4. Had issues purchasing the product online that required me to spend 45 mins on hold and then the live TurboxTax rep solved it quickly. Then Spent another 45 mins on hold another day due to issue with TurboTax handling me working in one state and living in another. Then when I filed my taxes, TurboTax would not take my credit card. Had to pay the $34.99 to take it out of my bank account. Been using TurboTax for years now. Quality was definately off this year. I hope they improve next year or I will need to look for an an alternative to TurboTax.

  5. So, if you are so confident that our tax returns will be safe using TurboTax, then do what Lifelock does and guarantee that our data is safe and secure with a $1 Million guarantee.

    We’ll wait for your response…….

  6. Until Intuit identifies what customer information was on the affected services we have no choice but to assume everything passed to them in the past 2 years was vulnerable to compromise.

  7. Turbotax.ca was affected by Heartbleed and the Heartbleed test website continues to report that “something went wrong”. Has this website been fixed?

  8. Well, This was the first time i ever used turbo tax, and i have received phone calls from fraudulent “tax payment collectors” about 5 times during this tax season. Im not calling turbo tax, Liars. just making a statement that their website obviously not safe

  9. No matter what question is asked, TT just repeats the same inadequate answer. Saying “we have no indication TT was ever vulnerable” is very different from saying “We have confirmed that TT was never vulnerable.” The fact that the “majority of servers do not use the version of SSL that was vulnerable” suggests that SOME servers did use that version, and it only takes one vulnerable server to compromise data. TT would be wise to actually answer the questions that were asked, and not repeat lawyer-speak.

    • Hi Steve,
      Yes, we were not vulnerable to the Heartbleed bug, but to make our customers feel more comfortable we updated our certificates. You can safely efile your state taxes.
      Thank you,
      Lisa Greene-Lewis

  10. Let’s be real here, there is absolutely no way Intuit will reveal if they were compromised or not because it would DESTROY their business for the year. How many millions would they lose if all the procrastinators bailed on filing their taxes due to Heartbleed?

    It’s just like car companies not revealing problems with their cars. Money > Customers

  11. “We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable” is plain nonsense. The fact is that Heartbleed bug enables an attacker/hacker to hack data in such a way it leaves no trace on the server or client side. This is what makes Heartbleed so ominous. So while continuously monitoring your system is a wonderful thing, it would have done nothing to prevent or detect Heartbleed attack. So the honest/correct answer from any site that was vulnerable to Heartbleed is that “We don’t know” whether any damage was done or the extent of the damage if any.

    • Hi Raj,
      Please see the update made on our post from our engineers.
      Thank you,
      Lisa Greene-Lewis

  12. I took tubotaxjen’s advice and went to http://filippo.io/Heartbleed/ to look for a positive result for TurboTax. However, it does not finish. I have now tried it four times. Can someoneelse please try the test for Turbotax.com and tell me what you get? Thanks so much!

  13. It doesn’t look safe to me after checking on LastPass:

    Site: turbotax.com
    Server software: Apache-Coyote/1.1
    Vulnerable: Very likely (known use OpenSSL)
    SSL Certificate: Unsafe (created 2 months ago at Feb 7 00:00:00 2014 GMT)
    Assessment: Wait for the site to update before changing your password

    • I’m an IT guy and RHCSA (Red Hat Certified System Administrator).

      Intuit is a Red Hat customer (Apache Coyote is a component in Red Hat’s JBOSS application server).

      Red Hat’s upstream backporting policy means only EXTREMELY recent (in the enterprise sense) versions of openssl are vulnerable.

      It’s therefore highly likely that TurboTax’s assertion that the version of openssl they use is not impacted by Heartbleed.

    • Hi Alan,
      Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe.

      Thanks,
      Jen

    • HI Asbas33,

      Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time.
      There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/. Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe.

      Thanks,
      Jen

    • I am confident that TurboTax uses multiple layers of encryption as my small company does. We never trust just using SSL for encryption for important user data.

  14. So, the systems were not secure before? You’re advice for dealing with this is what? Should we start by changing our passwords?

    • Hi Daniel,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password

      Thanks,
      Jen

  15. Is it recommended that we update our Turbo Tax password (if it hasn’t been changed in the past year).

    • Hi Gil,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Hope this answers your question!

      Thanks,
      Jen

    • Hi Shirley,

      Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time.
      There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/. Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe.

      Thanks,
      Jen

      • I have gone to that website and tried to run the test twice. The scan never finishes. Can you try it and tell me how long it took you from start to end?

        Thank you

  16. So does this mean that TurboTax was vulnerable to heartbleed, but now it is no longer vulnerable because it is secured, so users should change their passwords? Or does this mean TurboTax was never vulnerable to heartbleed, so no need to change passwords?

    • Hi Tony,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password

      Thanks,
      jen

    • Hi Tony,
      Please see our updates regarding the Heartbleed bug. We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed.

      Thank you,
      Lisa Greene-Lewis

  17. Does that mean that Intuit updated the vulnerable software and the system is not vulnerable today….or that Intuit has never installed the vulnerable OpenSSL version released in late 2011 and the vulnerability never existed?

  18. Why is https://turbotax.intuit.com still using old certificate generated on Feb 7, 2014, which is before the heartbleed bug was published? I know that Intuit has patched its servers, but according to http://en.wikipedia.org/wiki/Heartbleed_bug, patching alone does not fix this bug. The SSL certificate must be regenerated with new private keys and passwords.

    I’ve been using TurboTax since 2009 and have started using it for 2013 tax return but I haven’t finished filing my tax return. I didn’t want to log on to TurboTax web site again until you have a new SSL certificate.

    • Hi teera,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. TurboTax is safe to use and you can file today. There’s no reason to wait. Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time.

      Thanks,
      Jen

  19. Heartbleed is not new–it has apparently existed since 2012. Your statement says that Intuit has secured TurboTax…great, but the clear implication is that it has potentially been unsecured for some period of time, perhaps even since 2012. So Intuit, how long have our passwords and logins (and thus Social Security Numbers) been vulnerable to this flaw? We need a frank statement now, no more vague marketing blather about how seriously you take security–that is all a given and we get it. What are the facts? How long did you use the vulnerable version of OpenSSL on the TurboTax site?

    • Hi Matt,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed.

      Thanks,
      Jen

  20. The post does not say if you were affected by the heart bleed vulnerability or not?

    Do we need to change our Turbotax passwords?

    • Hi Tom,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password

      Thanks,
      Jen

  21. You have secured your website, meaning you patched the vulnerability. Are you advising customers to change their passwords? Was Intuit exploited?

    • Hi Don,

      Our engineers have verified TurboTax is not affected by “Heartbleed.” It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now.

      Thanks,
      Jen

    • Hi Don,
      Please see our updates to this blog post, which answer your questions.
      Thank you,
      Lisa Greene-Lewis

  22. When you say you secured the servers, does that mean you fixed the Heartbleed vulnerability? If so, why aren’t you advising customers to change their password?

    • Hi Kathryn,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password

      Thanks,
      jen

    • Hi Kathryn,
      Please see our updates to this blog post, which addresses your questions.
      Thank you,
      Lisa Greene-Lewis

  23. I would like more information, please? The TurboTax site appears to use some OpenSSL components; in what way was it remediated?

    I have used TurboTax for many, many years but am hesitant to use it until more visibility is given.

    • Hi Edward,

      Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time.
      There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/
      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. You can rest assured that TurboTax is safe to use and you can file today.

      Thanks,
      jen

    • Hi Edward,
      Please see our updates to our blog post, which addresses your questions.
      Thank you,
      Lisa Greene-Lewis

  24. Can we infer then that site was previously vulnerable? Has Intuit generated new SSL keys and certificates? Do they advise that we all now change our our passwords?

    • Hi Apolune,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now.

      Thanks,
      Jen

    • Hi,
      Please see the updates made to our blog on this subject, which addresses your questions.
      Thank you,
      Lisa Greene-Lewis

  25. My connection to you may be safe, but what about your connection to the IRS site when you send it on, Is that a safe connection?

  26. So what is the risk if you have already filed your returns and what is Intuit doing to protect those customers?

    • Hi Margaret,
      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed.
      Thank you,
      Lisa Greene-Lewis

    • Hi Margaret,

      We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Those who have filed and plan to file can be confident that TurboTax websites are secure and their personal and financial information are safe.

      Thanks,
      Jen

  27. Thank you so much. This is another reason I use Turbo Tax every year. Detail detail detail. You take care of everything.

    • That great. Can you comment on whether you were previously suscecptible to heartbleed and whether we need to change our passwords?

      • Hi Eric,

        We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password

        Thanks,
        Jen

      • Intuit, the current SSL certificates on your site were issued on February 6 on this year. The recommendation for ALL sites that were potentially affected by heartbleed is to issue NEW SSL certificates. Why has this not happened yet? I work in IT Security and am not comfortable at ALL with finishing my tax return while you continue to use certs that may already be compromised.

Leave your comment* = required field