05 May 2017

100k FAFSA apps hacked using autopopulate bug

It started with criminals filling out federal application for federal student aid (FAFSA aka federal studnet loan) forms but then circumventing access controls of the website.  The hackers were then able to get other applicants' information used for tax returns and then submit their own phony false tax returns to try to steal refunds.

The hackers were taking advantage of the faulty module in the site called IRS Data Retrieval which auto populates your online federal studnet loan application by using your already known tax return info.

The IRS claimed that in November 2015 they notified the Department of Education about these security concerns (breach) but the IRS didn't actually disable the exposure until March 2017.  The IRS has flagged at least 100,000 accounts as a result.

Individuals can still apply through FAFSA but will need to enter their information manually.

]]>