Updated 4/11/14 (12:05 pm PST) The article below has been updated with the latest recent information from our engineers.
A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the Internet, called Heartbleed. TurboTax engineers have verified TurboTax is not affected by “Heartbleed.” You can be confident that TurboTax websites are secure and your personal and financial information is safe. You can file your tax return today with confidence.
Safeguarding our customers’ data is our top priority. We continuously monitor our systems to improve our security capabilities in service to our customers. Even though TurboTax was not vulnerable, we have taken additional security precautions to protect the security and privacy of customers’ personal and financial information.
The IRS continues to accept tax returns as normal and has stated that their systems continue operating and are not affected by this bug. The IRS advises taxpayers to continue filing their tax returns as they normally would in advance of the April 15 tax deadline.
Frequently Asked Questions
Here are answers to questions you may have:
Should I file today? Or wait?
TurboTax is safe to use and you can file today. There’s no reason to wait. Our engineers have verified TurboTax is not affected by “Heartbleed.”
Do I need to change my password?
You can update your password at any time, although we are not proactively advising you to do so.
Online tools/websites show that your sites are failing the security grade, so are you OK?
Our engineers have verified TurboTax is not affected by “Heartbleed”. Even though we were not vulnerable, and had no need to do so, we decided to rotate the certificates on our key tax sites to help address some of your concerns and clear up the confusion. That effort has been completed.
We have changed the certificates on turbotax.intuit.com (the front door to all of our turbotax applications) and accounts.intuit.com (where we manage your usernames/passwords). If you visit those sites and examine the details of the certificate in your browser, you will see issue dates of April 9th, 2014 – which indicates that the certificates are brand new.
Can you confirm that you were never vulnerable to begin with?
We continuously monitor our systems and have no indication that TurboTax.com was ever vulnerable. Earlier this week, we did patch a couple of support services to protect against the Heartbleed security vulnerability. We’re confident that TurboTax is safe to use. The fact is, the vast majority of our servers do not use the version of SSL that was vulnerable to Heartbleed.