Password manager LastPass announced Wednesday it had suffered its second data breach in three months.

CEO Karim Toubba said the company recently detected unusual activity within a third-party cloud storage service that is shared by LastPass and affiliate GoTo.

He said an investigation was immediately launched into the incident by security firm Mandiant and that law enforcement had been alerted.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” Toubba said.

LastPass is working to identify what specific information has been accessed and the scope of the incident.

Products and services remain fully functional, and LastPass said it continues to deploy enhanced security measures and monitoring capabilities across its infrastructure.

Toubba said further updates would be provided as LastPass learns more details.

In August, LastPass said an unauthorized party had gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.

Following an investigation, Toubba said in September that the threat actor’s activity had been limited to a four-day period and confirmed that there is no evidence this incident involved any access to customer data or encrypted password vaults.

“We recognize that security incidents of any sort are unsettling but want to assure you that your personal data and passwords are safe in our care,” he said then.

Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned.

The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.

The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner, Meta.

Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.

When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refund to the nearest hundred. The pixel also sent the names of dependents in an obfuscated, but generally reversible, format.

TaxAct, which says it has about three million “consumer and professional users,” also uses Google’s analytics tool on its website, and The Markup found similar financial data, but not names, being sent to Google through its tool.

TaxAct wasn’t the only tax filing service using the Meta Pixel. Tax preparation giant H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses.

TaxSlayer, another widely used filing service, sent personal information to Facebook as part of the social media company’s “advanced matching” system, which gathers information on web visitors in an attempt to link them to Facebook accounts. The information gathered through the pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return. As with TaxAct, specific demographic information about a user was obfuscated but still usable for Facebook to link a user to an existing profile. TaxSlayer has said it completed 10 million federal and state tax returns last year.

The Markup also found the pixel code on a tax preparation site operated by a financial advice and software company called Ramsey Solutions, which uses a version of TaxSlayer’s service. That pixel gathered even more personal data from a tax return summary page, including information on income and refund amounts. This information was not sent immediately upon visiting the page but only when visitors clicked dropdown headings to see more details of their report.

Even Intuit, the company that runs America’s dominant online filing software, employed the pixel. Intuit’s TurboTax, however, did not send financial information to Meta but rather usernames and the last time a device signed in. The company kept the pixel entirely off pages beyond sign in.

“We take the privacy of our customers’ data very seriously,” Nicole Coburn, a spokesperson for TaxAct, said in an email. “TaxAct, at all times, endeavors to comply with all IRS regulations.” Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”

Megan McConnell, a spokesperson for Ramsey Solutions, said in an email that the company “implemented the Meta Pixel to deliver a more personalized customer experience.”

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” the statement said. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”

After The Markup contacted TaxSlayer, spokesperson Molly Richardson said in an email that the company had removed the pixel to evaluate its use. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” she said, adding that Ramsey Solutions “decided to remove the pixel” as well.

Rick Heineman, a spokesperson for Intuit, said the company’s pixel “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” although Intuit “may share some non-tax-return information, such as username, with marketing partners to deliver a better customer experience,” like not showing Intuit ads on Facebook to people who have accounts already. The company said it’s in compliance with regulations but has modified the pixel to no longer send usernames.

Mandi Matlock, a Harvard Law School lecturer focused on tax law, said The Markup’s findings showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited.”“This is appalling,” she said. “It truly is.” On Monday, after TaxAct was contacted by The Markup for comment, the company’s site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign in. H&R Block’s site was continuing to send information on health savings accounts and college tuition grants.As of Wednesday, after this story was published, TaxAct had removed the pixel from its tax filing web application, but was still sending financial information to Google Analytics, and H&R Block told The Markup it removed the pixel from its tax filing website “to stop any client tax information from being collected.” The Markup verified that it had been removed.

How the Meta Pixel Tracks Users

Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish. Using the code helps both Facebook and the businesses. When a customer comes to a business’s website, the pixel might record what items the customer browsed, say, a T-shirt, for example. The business can then target its ads on Facebook to people who looked at that shirt, allowing the business to find an audience that may already be interested in its products.Meta wins financially too. The company says it can use the data it gleans from tools like the pixel to power its algorithms, providing it insight into the habits of users across the internet. The strategy has been successful for Facebook. In 2018, the company told Congress that there were more than two million pixels across the web—a massive data-harvesting operation most internet users never see. “The practice is ubiquitous,” said Jon Callas, director of public interest technology at the Electronic Frontier Foundation, who said he was left in “shock but not surprise” at The Markup’s findings. Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the Meta Pixel, while some appears to arise from customizations made by the tax filing services, someone acting on their behalf, or other software installed on the site.For example, Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in webpage titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data. It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked. The summary was detected by the pixel as a button, and in its default configuration the pixel collects text from inside a clicked button. The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.” That feature scans forms looking for fields it thinks contain personally identifiable information like a phone number, first name, last name, or email address, then sends detected information to Meta. On TaxSlayer’s site this feature collected phone numbers and the names of filers and their dependents. On TaxAct it collected the names of dependents.The data collected by the matching feature is sent in an obfuscated form known as a hash, which Meta states is used in order to “help protect user privacy.” But the company can generally determine the pre-obfuscated version of the data—in fact Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles. This pixel feature was turned off by default when The Markup set up a test pixel attached to a business account but could be turned on by clicking a toggle during setup.When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a “custom event,” which are sent only if the pixel is configured beyond the default by a website operator or another application the website operator adds to their site. TaxAct did not respond to questions about whether and why it configured the pixel in this manner.There are limits to the types of data Meta says it will collect through the pixel. The company says it doesn’t want sensitive information sent to it, including financial data, and that it uses automated filtering to block potentially sensitive data. Its help center states that it prohibits sending information including bank account or credit card numbers or “information about an individual’s financial account or status.” Still, one specific type of prohibited data, income, was exactly what two tax sites sent to Facebook, The Markup found. Data sent to Facebook by TaxAct suggests it was also previously sending a parameter labeled “student_loan_interest,” which is now being filtered by the pixel before being sent.From January to July of this year, The Markup tracked websites’ use of the pixel as part of the Pixel Hunt, a partnership with Mozilla Rally. For the project, participating users installed a browser extension that provided The Markup with a copy of all data shared with Meta via the pixel.The Markup initially discovered sensitive information was shared by the tax preparers through data shared by Pixel Hunt participants. The Markup then signed up for accounts on the companies’ web applications and used the “Network” section of Chrome DevTools, a tool built into Google’s Chrome browser, to replicate and confirm the data.Earlier this year, with the help of Pixel Hunt participants, The Markup found sensitive data sent to Facebook on the Education Department’s federal student aid application website, crisis pregnancy websites, and the websites of prominent hospitals.Meta collects so much data even the company itself sometimes may be unaware of where it ends up. Earlier this year Vice reported on a leaked Facebook document written by Facebook privacy engineers who said the company did not “have an adequate level of control and explainability over how our systems use data,” making it difficult to promise it wouldn’t use certain data for certain purposes.At the time, a company spokesperson told Vice that Facebook has “extensive processes and controls to manage data and comply with privacy regulations.”In response to The Markup’s questions about the tax websites’ use of the pixel, Dale Hogan, a spokesperson for Meta, pointed to the company’s rules on sensitive financial information. “Advertisers should not send sensitive information about people through our Business Tools,” Hogan wrote in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”Google spokesperson Jackie Berté said in an email that the company “has strict policies against advertising to people based on sensitive information” and that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.”

The IRS Closely Regulates Tax Data

Nina Olson, the executive director of the nonprofit Center for Taxpayer Rights, was the national taxpayer advocate at the Internal Revenue Service between 2001 and 2019, a position in the agency meant to represent the interests of taxpayers. As part of her role at the IRS, she said, she contributed to the development of regulations that govern disclosures of tax information. Olson said the IRS regulations controlling the way private tax filing services can use data are intentionally “very strong.”Under the regulations she helped develop, tax preparers—including e-filing companies—can use the information they receive from taxpayers only for limited purposes; for anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed.The government goes so far as to prescribe even the font size of requests for disclosure, saying it must be “the same size as, or larger than, the normal or standard body text used by the website or software package.” The penalties for disclosing data without consent are potentially steep: Fines and even jail time are possible, although Olson said she wasn’t aware of any criminal cases that have been pursued.The Markup reviewed the tax preparation websites for disclosures that specifically mentioned Meta or Facebook but did not find them. Instead, some companies included relatively broad disclosure agreements.TaxAct, for example, requested users approve sending their tax information to its sister company, TaxSmart Research LLC, so it could “develop, offer, and provide products and services” for users. It also stated “TaxSmart Research LLC may use service providers and business partners to accomplish these tasks.” H&R Block, meanwhile, included nearly the same disclosure request so “H&R Block Personalized Services, LLC” could provide products of its own. Those sites provided the user with the option to decline to share tax information, although data was shared with Facebook regardless of what option users chose, according to The Markup’s tests.Any disclosure from a tax preparer must provide the exact purpose and recipient to be in compliance, Olson said. “Do they have a list saying they’re going to disclose the refund amounts, and your children, and your whatever to Facebook?” she said. If not, she said, they may be in violation of regulations.The IRS declined to comment or answer questions about whether any of the sites sharing tax information were in violation of tax law.

No Way Out for Taxpayers

American taxpayers have few options but to turn to private companies to file their returns.Unlike other countries, the United States has a heavily privatized system for filing taxes, one that often requires the use of third-party tax preparers. While in those other countries the government handles the calculations, and taxpayers simply approve the numbers, after a successful lobbying push from private companies, tax preparers in the U.S. effectively act as middlemen between taxpayers and the government.Tax preparation is now big business: Market researchers have estimated that it’s a more than $11 billion industry in the United States.A free preparation and filing option exists, but it’s limited to people making $73,000 or less and can be difficult to use. Companies offer their tax software at no charge through an agreement with the IRS but have been criticized for not making the option easily available.The IRS even effectively directs taxpayers attempting to file for free to some of the companies The Markup found using the pixel. A handful of tax preparation services are part of the agreement, known as the Free File Alliance—including TaxAct and TaxSlayer. TurboTax and H&R Block have been part of the program in the past. Harvard’s Matlock said The Markup’s findings showed the almost inevitable consequences of relying on for-profit companies to handle a government requirement. It’s a process that provides users little choice but to hand over their data to Facebook if they want to comply with the law, she said.“It’s frustrating because taxpayers have been pushed into the arms of these private, for-profit companies simply to comply with their tax filing obligations,” she said. “We have no choice, really, in the matter.”

A man who lost $24 million in cryptocurrency in an elaborate SIM swapping scam has won a multi-million-dollar judgment against the thief, who was 15 at the time of the hustle.

According to court documents [PDF] filed Friday in federal New York City court, Ellis Pinsky agreed to pay Michael Terpin $22 million for his starring role in the SIM swap and crypto heist. Pinsky was a New York high school student at the time of the theft in 2018, and it’s said he paid back $2 million about a year later to his victim.

Pinsky, now 20, has also agreed to testify against AT&T, according to Terpin. In a LinkedIn post earlier today, the blockchain investor told his followers of his civil lawsuit win:

Pinsky has not, to the very best of our knowledge, been charged with any crime, and it’s presumed this is because he was a minor at the time of the theft, and because he cooperated immediately with the Feds a couple of years ago when investigators homed in on him. In a Rolling Stone interview over the summer, Pinsky – dubbed Baby Al Capone by the media – admitted he swiped millions in crypto-coins from Terpin via a SIM swap.

According to that article, Pinsky said he wrote a Python script that would search social media for people who appeared to work for cellular networks, and would privately message them. Pinsky would, we’re told, offer those employees a small amount of Bitcoin to perform SIM swaps, aka port outs.

This basically reassigns a victim’s phone number to the SIM in the scammer’s phone so that the scammer receives that number’s calls and texts. Once that happens, the crook can request a password reset for the target’s webmail account, with the one-time verification code texted to the thief. Now in control of the email account and phone number, the thief can start going through all of the victim’s online accounts and apps, resetting passwords with the links and texts going to the webmail or hijacked phone number, logging in, and stealing any (say) cryptocurrencies found.

Which, according to Pinsky, is what he did to Terpin: after an AT&T worker did the SIM swap, he and an accomplice found a file in an Outlook account loaded with crypto wallet information, which was then used to siphon off the money. Specifically, it’s claimed, Pinksy and his co-conspirator stole 3 million TRIG coins, each worth more than $7 at the time, and laundered them into Bitcoins. TRIG has since crashed to less than 20 cents a coin.

The other side

Terpin sued AT&T for $240 million in 2018 for repeatedly failing to protect his cellphone from the teenage scammer. It’s been a long, drawn-out case, full of legal maneuvering on both sides, but here’s the gist of what Terpin said happened to his phone — and in court rooms since then.

According to Terpin’s first lawsuit [PDF], in June 2017 a fraudster posing as Terpin convinced an AT&T employee at a store in Connecticut to transfer Terpin’s phone number to another SIM card — after 11 earlier attempts at the scam in other stores had failed.

The miscreant then used his access to Terpin’s phone number to gain access to his cryptocurrency holdings, and transferred millions of dollars to a different account.

Terpin complained to AT&T, and the carrier agreed to put additional security policies in place where any future changes would require someone to not only provide ID but also supply a special six-digit code that only he and his wife knew.

Despite this, in January 2018, fraudsters again hijacked his phone number and, again, broke into his cryptocurrency accounts, ultimately stealing $24 million worth of digital coins. “The purloined telephone number was accessed to hack Mr Terpin’s accounts, resulting in the loss of nearly $24 million of cryptocurrency coins,” the lawsuit stated.

• It’s Terpin time: Bloke who was SIM jacked twice by Bitcoin thieves gets green light to sue telco for millions
• Bitcoin backer sues AT&T for $240m over stolen cryptocurrency
• It’s happened again: AT&T sued for allegedly transferring victim’s number to thieves in $1.9m cryptocoin heist
• Eight Brits arrested after probe into SIM-swapping scam targeting US celebs

In February 2020, a judge dismissed AT&T’s effort to dismiss the case, noting that Terpin had provided sufficient proof that the US telco giant should defend its position in front of a jury.

Later that year, a judge threw out a $200 million damages claim Terpin had filed against AT&T, but allowed the rest of the case to move forward. It is slated for a federal court in Los Angeles in May.

Interestingly enough, Pinsky told Rolling Stone he returned all he could from the Terpin heist – 562 Bitcoins, his share of the spoils with his co-conspirator – a couple of years ago when he realized the jig was up. In 2020, that BTC would be worth $2 million, which Terpin alluded to in his statement above. At their peak in November last year, those Bitcoins would be worth about $40 million, and today: about $11 million. In any case, Pinksy’s now agreed to pay Terpin, one way or another, $22 million. ®