Want CNET to notify you of price drops and the latest stories?

Hackers might have stolen IRS data on more than 300,000 households

More taxpayers than originally thought had personal information stolen in a hack that used a surprisingly simple method.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read

More than 300,000 households face "possible or potential" loss of their personal information, the IRS said. JIM WATSON/AFP/Getty Images

Many people rely on security questions like "What's your mother's maiden name?" to protect their personal information online, but hackers are getting better at finding the answers.

Case in point: the hackers who raided US Government's Internal Revenue Service data systems. Those attackers were much more successful at answering security questions than previously known, the government agency announced Monday, underscoring the dangers of using simple security to protect valuable data.

More than 300,000 households face "possible or potential" loss of their personal information to the electronic attackers, the agency said. That's more than twice the initial estimate of 114,000 households given by the IRS in May.

What's more, the total number of failed attempts to get taxpayer information also more than doubled from the agency's original estimate.

The breach shows the prowess of hackers who can collect personal information from across the Web to get past security questions. As more and more data gets stolen and sold by criminals, hacks like this one could increase, security experts said.

The attack attempted to get taxpayer information on the IRS website using personal information that usually only the taxpayer would know, according to a statement from the agency. Whoever mounted this mass log-in approach was successful more often than not, getting transcripts that contained a gold mine of personal information from tax returns.

The IRS shut down the online transcript service in May.

When most people think of losing their Social Security numbers, they think of credit card fraud, said Jasper Graham, an executive at security company Darktrace and former cyber expert at the National Security Agency.

But instead of immediately applying for credit cards, many online thieves sell the information itself for cash. Or, they collect it with information from other hacks and produce an arsenal of information.

"All the data is online somewhere, and if you have the skill set to go hack and get it, you can make a lot of money from it," Graham said.