TurboTax News TurboTax is Secured Against the “Heartbleed” Internet Vulnerability Read the Article Open Share Drawer Share this:Click to share on Facebook (Opens in new window)Click to share on Twitter (Opens in new window)Click to share on LinkedIn (Opens in new window)Click to share on Pinterest (Opens in new window)Click to print (Opens in new window) Written by TurboTaxBlogTeam Published Apr 9, 2014 - [Updated Sep 7, 2017] 2 min read Updated 4/11/14 (12:05 pm PST) The article below has been updated with the latest recent information from our engineers. A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the Internet, called Heartbleed. TurboTax engineers have verified TurboTax is not affected by “Heartbleed.” You can be confident that TurboTax websites are secure and your personal and financial information is safe. You can file your tax return today with confidence. Safeguarding our customers’ data is our top priority. We continuously monitor our systems to improve our security capabilities in service to our customers. Even though TurboTax was not vulnerable, we have taken additional security precautions to protect the security and privacy of customers’ personal and financial information. The IRS continues to accept tax returns as normal and has stated that their systems continue operating and are not affected by this bug. The IRS advises taxpayers to continue filing their tax returns as they normally would in advance of the April 15 tax deadline. Frequently Asked Questions Here are answers to questions you may have: Should I file today? Or wait? TurboTax is safe to use and you can file today. There’s no reason to wait. Our engineers have verified TurboTax is not affected by “Heartbleed.” Do I need to change my password? You can update your password at any time, although we are not proactively advising you to do so. Online tools/websites show that your sites are failing the security grade, so are you OK? Our engineers have verified TurboTax is not affected by “Heartbleed”. Even though we were not vulnerable, and had no need to do so, we decided to rotate the certificates on our key tax sites to help address some of your concerns and clear up the confusion. That effort has been completed. We have changed the certificates on turbotax.intuit.com (the front door to all of our turbotax applications) and accounts.intuit.com (where we manage your usernames/passwords). If you visit those sites and examine the details of the certificate in your browser, you will see issue dates of April 9th, 2014 – which indicates that the certificates are brand new. Can you confirm that you were never vulnerable to begin with? We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Previous Post TurboTax and Sprintax Now Make Filing Easier for Non-Resident Taxpayers Next Post New TurboTax Mobile App Lets Users Move Seamlessly Across Devices Written by TurboTaxBlogTeam More from TurboTaxBlogTeam 74 responses to “TurboTax is Secured Against the “Heartbleed” Internet Vulnerability” Does this statement also apply to Turbotax Canada? Reply I used turbotax.ca and I used my brand new credit card to do my taxes in early march. No other internet site has my credit information. Last week someone charged up alot of stuff luckily my bank caught it. Reply I used turbo tax last year, for the first time. This year, I went to file our taxes through Turbo Tax, only to have them tell me our taxes had be already been filed three weeks earlier. I called, and sure enough, someone had used my husband’s SS# to file taxes in his name, using his phone number (except for changing the last digit) and having it sent to a home in Fullerton, CA. We have lived all our lives in Louisiana, and have always filed married/jointly. This person filed single. The fact that it was a different state, different filing status, WAY different email address (which, in itself indicates suspicion because it was so strange: govatyjutisu@hotmail.com . . . REALLY???) NONE of that raised a flag with Turbo Tax. This was obviously a scam, as our refund was mailed to a house that is up for sale in CA. I will NEVER use Turbo Tax again. I will only use the IRS site, using fillable forms, printing them out and mailing them in. I’m done and totally disgusted by this…not to mention paranoid. Reply I filed through Turbo Tax software i purchased, I live in Ontario. I chose the option to have turbotax netfile my return to CRA. Even though turbo tax is saying they have not been affected, is it still possible that my info could have been compromised with the CRA’s website or Netfile? Reply Had issues purchasing the product online that required me to spend 45 mins on hold and then the live TurboxTax rep solved it quickly. Then Spent another 45 mins on hold another day due to issue with TurboTax handling me working in one state and living in another. Then when I filed my taxes, TurboTax would not take my credit card. Had to pay the $34.99 to take it out of my bank account. Been using TurboTax for years now. Quality was definately off this year. I hope they improve next year or I will need to look for an an alternative to TurboTax. Reply So, if you are so confident that our tax returns will be safe using TurboTax, then do what Lifelock does and guarantee that our data is safe and secure with a $1 Million guarantee. We’ll wait for your response……. Reply Until Intuit identifies what customer information was on the affected services we have no choice but to assume everything passed to them in the past 2 years was vulnerable to compromise. Reply Turbotax.ca was affected by Heartbleed and the Heartbleed test website continues to report that “something went wrong”. Has this website been fixed? Reply Well, This was the first time i ever used turbo tax, and i have received phone calls from fraudulent “tax payment collectors” about 5 times during this tax season. Im not calling turbo tax, Liars. just making a statement that their website obviously not safe Reply Hi Ted, Fraudulent phone calls can happen no matter what method you use. There is a new scam where people call and ask you to make a tax payment. I personally know several people who use a private CPA and this happened to. It has nothing to do with TurboTax. Here is more information from the IRS http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam Thank you, Lisa Greene-Lewis Reply No matter what question is asked, TT just repeats the same inadequate answer. Saying “we have no indication TT was ever vulnerable” is very different from saying “We have confirmed that TT was never vulnerable.” The fact that the “majority of servers do not use the version of SSL that was vulnerable” suggests that SOME servers did use that version, and it only takes one vulnerable server to compromise data. TT would be wise to actually answer the questions that were asked, and not repeat lawyer-speak. Reply Is using e file safe for Vermont taxes? Reply Hi Steve, Yes, we were not vulnerable to the Heartbleed bug, but to make our customers feel more comfortable we updated our certificates. You can safely efile your state taxes. Thank you, Lisa Greene-Lewis Reply Let’s be real here, there is absolutely no way Intuit will reveal if they were compromised or not because it would DESTROY their business for the year. How many millions would they lose if all the procrastinators bailed on filing their taxes due to Heartbleed? It’s just like car companies not revealing problems with their cars. Money > Customers Reply Hi Kyle, Please see the update to this post from our engineers. Thank you, Lisa Greene-Lewis Reply “We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable” is plain nonsense. The fact is that Heartbleed bug enables an attacker/hacker to hack data in such a way it leaves no trace on the server or client side. This is what makes Heartbleed so ominous. So while continuously monitoring your system is a wonderful thing, it would have done nothing to prevent or detect Heartbleed attack. So the honest/correct answer from any site that was vulnerable to Heartbleed is that “We don’t know” whether any damage was done or the extent of the damage if any. Reply Hi Raj, Please see the update made on our post from our engineers. Thank you, Lisa Greene-Lewis Reply I took tubotaxjen’s advice and went to http://filippo.io/Heartbleed/ to look for a positive result for TurboTax. However, it does not finish. I have now tried it four times. Can someoneelse please try the test for Turbotax.com and tell me what you get? Thanks so much! Reply Hi Shirley, I went onto http://filippo.io/Heartbleed/ again and looks like it’s working for me: http://filippo.io/Heartbleed/#turbotax.com. Hope this helps, let me know if you have any additional questions. Thanks, Jen Reply It doesn’t look safe to me after checking on LastPass: Site: turbotax.com Server software: Apache-Coyote/1.1 Vulnerable: Very likely (known use OpenSSL) SSL Certificate: Unsafe (created 2 months ago at Feb 7 00:00:00 2014 GMT) Assessment: Wait for the site to update before changing your password Reply I’m an IT guy and RHCSA (Red Hat Certified System Administrator). Intuit is a Red Hat customer (Apache Coyote is a component in Red Hat’s JBOSS application server). Red Hat’s upstream backporting policy means only EXTREMELY recent (in the enterprise sense) versions of openssl are vulnerable. It’s therefore highly likely that TurboTax’s assertion that the version of openssl they use is not impacted by Heartbleed. Reply I filed taxes on April 1st. Am I at risk? Reply Hi Alan, Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply Is a tax return done before this was discovered safe. ie two weeks ago Reply This is a major question to which I also want an answer. Reply Hi Bob, Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply If TurboTax is safe, then why does it show up as “unsafe” and “very likely” vulnerable on LastPass? See link below: https://lastpass.com/heartbleed/?h=turbotax.com SSL Certificates have not been updated for 2 months, and I personally won’t be doing anything on TurboTax until this is addressed. Reply HI Asbas33, Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/. Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply I am confident that TurboTax uses multiple layers of encryption as my small company does. We never trust just using SSL for encryption for important user data. Reply So, the systems were not secure before? You’re advice for dealing with this is what? Should we start by changing our passwords? Reply Hi Daniel, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply If it’s safe, then why does it show up as “unsafe” and “very likely” vulnerable on LastPass? See link below: https://lastpass.com/heartbleed/?h=turbotax.com Update your SSL certificate TurboTax! Everyone can make their own decisions, but I’m not using this until it is verified as safe by lastpass. Reply Do we need to change our passwords? Reply Hi Susan, It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply Is it recommended that we update our Turbo Tax password (if it hasn’t been changed in the past year). Reply Hi Geoff, It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply When did you confirm that the Intuit website is not vulnerable to Heartbleed? Reply Hi Gil, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Hope this answers your question! Thanks, Jen Reply I was just on https://www.ssllabs.com/ssltest/index.html and scanned for turbotax.com. The site received an “F” grade on the SSL scan. What is going on? We need to file our taxes but are seriously thinking about mailing in the return rather than trust turbotax. Reply Hi Shirley, Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/. Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply I have gone to that website and tried to run the test twice. The scan never finishes. Can you try it and tell me how long it took you from start to end? Thank you So does this mean that TurboTax was vulnerable to heartbleed, but now it is no longer vulnerable because it is secured, so users should change their passwords? Or does this mean TurboTax was never vulnerable to heartbleed, so no need to change passwords? Reply Hi Tony, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, jen Reply Hi Tony, Please see our updates regarding the Heartbleed bug. We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Thank you, Lisa Greene-Lewis Reply Does that mean that Intuit updated the vulnerable software and the system is not vulnerable today….or that Intuit has never installed the vulnerable OpenSSL version released in late 2011 and the vulnerability never existed? Reply Why is https://turbotax.intuit.com still using old certificate generated on Feb 7, 2014, which is before the heartbleed bug was published? I know that Intuit has patched its servers, but according to http://en.wikipedia.org/wiki/Heartbleed_bug, patching alone does not fix this bug. The SSL certificate must be regenerated with new private keys and passwords. I’ve been using TurboTax since 2009 and have started using it for 2013 tax return but I haven’t finished filing my tax return. I didn’t want to log on to TurboTax web site again until you have a new SSL certificate. Reply Hi teera, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. TurboTax is safe to use and you can file today. There’s no reason to wait. Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. Thanks, Jen Reply Heartbleed is not new–it has apparently existed since 2012. Your statement says that Intuit has secured TurboTax…great, but the clear implication is that it has potentially been unsecured for some period of time, perhaps even since 2012. So Intuit, how long have our passwords and logins (and thus Social Security Numbers) been vulnerable to this flaw? We need a frank statement now, no more vague marketing blather about how seriously you take security–that is all a given and we get it. What are the facts? How long did you use the vulnerable version of OpenSSL on the TurboTax site? Reply Hi Matt, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Thanks, Jen Reply The post does not say if you were affected by the heart bleed vulnerability or not? Do we need to change our Turbotax passwords? Reply Hi Tom, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply The post does not say if you were affected by the heart bleed vulnerability or not? Reply You have secured your website, meaning you patched the vulnerability. Are you advising customers to change their passwords? Was Intuit exploited? Reply Hi Don, Our engineers have verified TurboTax is not affected by “Heartbleed.” It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. Thanks, Jen Reply Hi Don, Please see our updates to this blog post, which answer your questions. Thank you, Lisa Greene-Lewis Reply When you say you secured the servers, does that mean you fixed the Heartbleed vulnerability? If so, why aren’t you advising customers to change their password? Reply Hi Kathryn, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, jen Reply Hi Kathryn, Please see our updates to this blog post, which addresses your questions. Thank you, Lisa Greene-Lewis Reply I would like more information, please? The TurboTax site appears to use some OpenSSL components; in what way was it remediated? I have used TurboTax for many, many years but am hesitant to use it until more visibility is given. Reply Hi Edward, Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/ We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. You can rest assured that TurboTax is safe to use and you can file today. Thanks, jen Reply Hi Edward, Please see our updates to our blog post, which addresses your questions. Thank you, Lisa Greene-Lewis Reply Can we infer then that site was previously vulnerable? Has Intuit generated new SSL keys and certificates? Do they advise that we all now change our our passwords? Reply Hi Apolune, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. Thanks, Jen Reply Hi, Please see the updates made to our blog on this subject, which addresses your questions. Thank you, Lisa Greene-Lewis Reply My connection to you may be safe, but what about your connection to the IRS site when you send it on, Is that a safe connection? Reply Hi Steve, Yes, the connection is safe. Please see the statement from the IRS http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season Thank you, Lisa Greene-Lewis Reply Thank you very much. My questions are answered and I fell much more confident filing my taxes through TurboTax. So what is the risk if you have already filed your returns and what is Intuit doing to protect those customers? Reply Hi Margaret, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Thank you, Lisa Greene-Lewis Reply Hi Margaret, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Those who have filed and plan to file can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply Thank you so much. This is another reason I use Turbo Tax every year. Detail detail detail. You take care of everything. Reply That great. Can you comment on whether you were previously suscecptible to heartbleed and whether we need to change our passwords? Reply Hi Eric, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Intuit, the current SSL certificates on your site were issued on February 6 on this year. The recommendation for ALL sites that were potentially affected by heartbleed is to issue NEW SSL certificates. Why has this not happened yet? I work in IT Security and am not comfortable at ALL with finishing my tax return while you continue to use certs that may already be compromised. Leave a ReplyCancel reply Browse Related Articles Announcements TurboTax Employees Connect with Customers TurboTax News Windows 7 End of Support TurboTax News How TurboTax Helps Protect You TurboTax Press Releases TurboTax Ready for Late-Breaking Tax Law Changes Announcements TurboTax updates software with additional guidance for … Tax News Tax Day Update: TurboTax is Accepting E-Filed Tax Retur… TurboTax News TurboTax Brings Back Absolute Zero – Start Filing You… TurboTax News TurboTax Restores Forms to Desktop Software TurboTax News TurboTax Free Edition. Free Federal. Free State. Free T… TurboTax Press Releases TurboTax Resumes E-filing for States
I used turbotax.ca and I used my brand new credit card to do my taxes in early march. No other internet site has my credit information. Last week someone charged up alot of stuff luckily my bank caught it. Reply
I used turbo tax last year, for the first time. This year, I went to file our taxes through Turbo Tax, only to have them tell me our taxes had be already been filed three weeks earlier. I called, and sure enough, someone had used my husband’s SS# to file taxes in his name, using his phone number (except for changing the last digit) and having it sent to a home in Fullerton, CA. We have lived all our lives in Louisiana, and have always filed married/jointly. This person filed single. The fact that it was a different state, different filing status, WAY different email address (which, in itself indicates suspicion because it was so strange: govatyjutisu@hotmail.com . . . REALLY???) NONE of that raised a flag with Turbo Tax. This was obviously a scam, as our refund was mailed to a house that is up for sale in CA. I will NEVER use Turbo Tax again. I will only use the IRS site, using fillable forms, printing them out and mailing them in. I’m done and totally disgusted by this…not to mention paranoid. Reply
I filed through Turbo Tax software i purchased, I live in Ontario. I chose the option to have turbotax netfile my return to CRA. Even though turbo tax is saying they have not been affected, is it still possible that my info could have been compromised with the CRA’s website or Netfile? Reply
Had issues purchasing the product online that required me to spend 45 mins on hold and then the live TurboxTax rep solved it quickly. Then Spent another 45 mins on hold another day due to issue with TurboTax handling me working in one state and living in another. Then when I filed my taxes, TurboTax would not take my credit card. Had to pay the $34.99 to take it out of my bank account. Been using TurboTax for years now. Quality was definately off this year. I hope they improve next year or I will need to look for an an alternative to TurboTax. Reply
So, if you are so confident that our tax returns will be safe using TurboTax, then do what Lifelock does and guarantee that our data is safe and secure with a $1 Million guarantee. We’ll wait for your response……. Reply
Until Intuit identifies what customer information was on the affected services we have no choice but to assume everything passed to them in the past 2 years was vulnerable to compromise. Reply
Turbotax.ca was affected by Heartbleed and the Heartbleed test website continues to report that “something went wrong”. Has this website been fixed? Reply
Well, This was the first time i ever used turbo tax, and i have received phone calls from fraudulent “tax payment collectors” about 5 times during this tax season. Im not calling turbo tax, Liars. just making a statement that their website obviously not safe Reply
Hi Ted, Fraudulent phone calls can happen no matter what method you use. There is a new scam where people call and ask you to make a tax payment. I personally know several people who use a private CPA and this happened to. It has nothing to do with TurboTax. Here is more information from the IRS http://www.irs.gov/uac/Newsroom/IRS-Warns-of-Pervasive-Telephone-Scam Thank you, Lisa Greene-Lewis Reply
No matter what question is asked, TT just repeats the same inadequate answer. Saying “we have no indication TT was ever vulnerable” is very different from saying “We have confirmed that TT was never vulnerable.” The fact that the “majority of servers do not use the version of SSL that was vulnerable” suggests that SOME servers did use that version, and it only takes one vulnerable server to compromise data. TT would be wise to actually answer the questions that were asked, and not repeat lawyer-speak. Reply
Hi Steve, Yes, we were not vulnerable to the Heartbleed bug, but to make our customers feel more comfortable we updated our certificates. You can safely efile your state taxes. Thank you, Lisa Greene-Lewis Reply
Let’s be real here, there is absolutely no way Intuit will reveal if they were compromised or not because it would DESTROY their business for the year. How many millions would they lose if all the procrastinators bailed on filing their taxes due to Heartbleed? It’s just like car companies not revealing problems with their cars. Money > Customers Reply
“We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable” is plain nonsense. The fact is that Heartbleed bug enables an attacker/hacker to hack data in such a way it leaves no trace on the server or client side. This is what makes Heartbleed so ominous. So while continuously monitoring your system is a wonderful thing, it would have done nothing to prevent or detect Heartbleed attack. So the honest/correct answer from any site that was vulnerable to Heartbleed is that “We don’t know” whether any damage was done or the extent of the damage if any. Reply
Hi Raj, Please see the update made on our post from our engineers. Thank you, Lisa Greene-Lewis Reply
I took tubotaxjen’s advice and went to http://filippo.io/Heartbleed/ to look for a positive result for TurboTax. However, it does not finish. I have now tried it four times. Can someoneelse please try the test for Turbotax.com and tell me what you get? Thanks so much! Reply
Hi Shirley, I went onto http://filippo.io/Heartbleed/ again and looks like it’s working for me: http://filippo.io/Heartbleed/#turbotax.com. Hope this helps, let me know if you have any additional questions. Thanks, Jen Reply
It doesn’t look safe to me after checking on LastPass: Site: turbotax.com Server software: Apache-Coyote/1.1 Vulnerable: Very likely (known use OpenSSL) SSL Certificate: Unsafe (created 2 months ago at Feb 7 00:00:00 2014 GMT) Assessment: Wait for the site to update before changing your password Reply
I’m an IT guy and RHCSA (Red Hat Certified System Administrator). Intuit is a Red Hat customer (Apache Coyote is a component in Red Hat’s JBOSS application server). Red Hat’s upstream backporting policy means only EXTREMELY recent (in the enterprise sense) versions of openssl are vulnerable. It’s therefore highly likely that TurboTax’s assertion that the version of openssl they use is not impacted by Heartbleed. Reply
Hi Alan, Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply
Hi Bob, Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply
If TurboTax is safe, then why does it show up as “unsafe” and “very likely” vulnerable on LastPass? See link below: https://lastpass.com/heartbleed/?h=turbotax.com SSL Certificates have not been updated for 2 months, and I personally won’t be doing anything on TurboTax until this is addressed. Reply
HI Asbas33, Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/. Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply
I am confident that TurboTax uses multiple layers of encryption as my small company does. We never trust just using SSL for encryption for important user data. Reply
So, the systems were not secure before? You’re advice for dealing with this is what? Should we start by changing our passwords? Reply
Hi Daniel, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply
If it’s safe, then why does it show up as “unsafe” and “very likely” vulnerable on LastPass? See link below: https://lastpass.com/heartbleed/?h=turbotax.com Update your SSL certificate TurboTax! Everyone can make their own decisions, but I’m not using this until it is verified as safe by lastpass. Reply
Hi Susan, It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply
Is it recommended that we update our Turbo Tax password (if it hasn’t been changed in the past year). Reply
Hi Geoff, It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply
Hi Gil, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Hope this answers your question! Thanks, Jen Reply
I was just on https://www.ssllabs.com/ssltest/index.html and scanned for turbotax.com. The site received an “F” grade on the SSL scan. What is going on? We need to file our taxes but are seriously thinking about mailing in the return rather than trust turbotax. Reply
Hi Shirley, Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/. Taxpayers can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply
I have gone to that website and tried to run the test twice. The scan never finishes. Can you try it and tell me how long it took you from start to end? Thank you
So does this mean that TurboTax was vulnerable to heartbleed, but now it is no longer vulnerable because it is secured, so users should change their passwords? Or does this mean TurboTax was never vulnerable to heartbleed, so no need to change passwords? Reply
Hi Tony, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, jen Reply
Hi Tony, Please see our updates regarding the Heartbleed bug. We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Thank you, Lisa Greene-Lewis Reply
Does that mean that Intuit updated the vulnerable software and the system is not vulnerable today….or that Intuit has never installed the vulnerable OpenSSL version released in late 2011 and the vulnerability never existed? Reply
Why is https://turbotax.intuit.com still using old certificate generated on Feb 7, 2014, which is before the heartbleed bug was published? I know that Intuit has patched its servers, but according to http://en.wikipedia.org/wiki/Heartbleed_bug, patching alone does not fix this bug. The SSL certificate must be regenerated with new private keys and passwords. I’ve been using TurboTax since 2009 and have started using it for 2013 tax return but I haven’t finished filing my tax return. I didn’t want to log on to TurboTax web site again until you have a new SSL certificate. Reply
Hi teera, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. TurboTax is safe to use and you can file today. There’s no reason to wait. Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. Thanks, Jen Reply
Heartbleed is not new–it has apparently existed since 2012. Your statement says that Intuit has secured TurboTax…great, but the clear implication is that it has potentially been unsecured for some period of time, perhaps even since 2012. So Intuit, how long have our passwords and logins (and thus Social Security Numbers) been vulnerable to this flaw? We need a frank statement now, no more vague marketing blather about how seriously you take security–that is all a given and we get it. What are the facts? How long did you use the vulnerable version of OpenSSL on the TurboTax site? Reply
Hi Matt, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Thanks, Jen Reply
The post does not say if you were affected by the heart bleed vulnerability or not? Do we need to change our Turbotax passwords? Reply
Hi Tom, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen Reply
You have secured your website, meaning you patched the vulnerability. Are you advising customers to change their passwords? Was Intuit exploited? Reply
Hi Don, Our engineers have verified TurboTax is not affected by “Heartbleed.” It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. Thanks, Jen Reply
Hi Don, Please see our updates to this blog post, which answer your questions. Thank you, Lisa Greene-Lewis Reply
When you say you secured the servers, does that mean you fixed the Heartbleed vulnerability? If so, why aren’t you advising customers to change their password? Reply
Hi Kathryn, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, jen Reply
Hi Kathryn, Please see our updates to this blog post, which addresses your questions. Thank you, Lisa Greene-Lewis Reply
I would like more information, please? The TurboTax site appears to use some OpenSSL components; in what way was it remediated? I have used TurboTax for many, many years but am hesitant to use it until more visibility is given. Reply
Hi Edward, Our engineers have verified TurboTax is not affected by “Heartbleed.” Password resets and re-issuing of SSL certificates are not required at this time. There are many online tools that show varying results; you can check here: http://filippo.io/Heartbleed/ We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. You can rest assured that TurboTax is safe to use and you can file today. Thanks, jen Reply
Hi Edward, Please see our updates to our blog post, which addresses your questions. Thank you, Lisa Greene-Lewis Reply
Can we infer then that site was previously vulnerable? Has Intuit generated new SSL keys and certificates? Do they advise that we all now change our our passwords? Reply
Hi Apolune, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. Thanks, Jen Reply
Hi, Please see the updates made to our blog on this subject, which addresses your questions. Thank you, Lisa Greene-Lewis Reply
My connection to you may be safe, but what about your connection to the IRS site when you send it on, Is that a safe connection? Reply
Hi Steve, Yes, the connection is safe. Please see the statement from the IRS http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season Thank you, Lisa Greene-Lewis Reply
Thank you very much. My questions are answered and I fell much more confident filing my taxes through TurboTax.
So what is the risk if you have already filed your returns and what is Intuit doing to protect those customers? Reply
Hi Margaret, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Thank you, Lisa Greene-Lewis Reply
Hi Margaret, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. Those who have filed and plan to file can be confident that TurboTax websites are secure and their personal and financial information are safe. Thanks, Jen Reply
Thank you so much. This is another reason I use Turbo Tax every year. Detail detail detail. You take care of everything. Reply
That great. Can you comment on whether you were previously suscecptible to heartbleed and whether we need to change our passwords? Reply
Hi Eric, We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed. It is always good practice to regularly update your online passwords, however, we are not proactively recommending that customers do so now. If you would like to update your password, here are instructions to do so: https://ttlc.intuit.com/questions/2404942-how-can-i-change-my-password Thanks, Jen
Intuit, the current SSL certificates on your site were issued on February 6 on this year. The recommendation for ALL sites that were potentially affected by heartbleed is to issue NEW SSL certificates. Why has this not happened yet? I work in IT Security and am not comfortable at ALL with finishing my tax return while you continue to use certs that may already be compromised.