A hack of the Internal Revenue service first reported in May was nearly three times as large as previously stated, the agency said Monday.A hack of the Internal Revenue service first reported in May was nearly three times as large as previously stated, the agency said Monday.
Thieves have accessed as many as 334,000 taxpayer accounts, the IRS said.
In May, the IRS reported that identity thieves were able to use the agency's Get Transcript program to get personal information about as many as 114,000 taxpayers.
On Monday, the IRS said an additional 220,000 accounts had also been hacked. In all, 334,000 accounts were accessed, though whether information was stolen from every one of them is not known.
The hackers made use of an IRS application called Get Transcript, which allows users to view their tax account transactions, line-by-line tax return information or wage and income reported to the IRS for a specific tax year.
To enter the Get Transcript system, the user must correctly answer multiple identity verification questions.
The hackers took information about taxpayers acquired from other sources and used it to correctly answer the questions, allowing them to gain access to a plethora of data about individual taxpayers.
The Get Transcript service was shut down in May.
Hackers love authentication-based systems because it's very difficult to distinguish between "the good guys and the bad guys" when someone is trying to get in, said Jeff Hill of STEALTHbits Technologies, a cyber security company.
"Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach's damage months later. Even now, how confident is the IRS they fully understand the extent of the attack completely, or should we expect yet another shoe to drop in the coming weeks?" Hill said.
Notification of the increased number of hacked accounts came Monday.
In a statement the agency said, "as part of the IRS's continued efforts to protect taxpayer data, the IRS conducted a deeper analysis over a wider time period covering the 2015 filing season, analyzing more than 23 million uses of the Get Transcript system."
That analysis revealed an additional 220,000 accounts had also potentially been accessed.
In addition to accounts the hackers were successfully able to access, the IRS disclosed hack attempts that didn't succeed. There were 111,000 attempts on accounts disclosed in May and 170,000 disclosed on Monday, for a total of 281,000 of accounts where the hackers "failed to clear the authentication processes," the agency said.
Taxpayers whose information was potentially breached will get letters in the mail from the IRS in the coming days.
They will also get access to free credit protection and Identity Protection PINs, the IRS said in a statement.