Since when do systems allow brute-force attacks on PIN numbers?
Who said brute force?
The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address.
This sucker just harvested them.
Because, really, HOW many different places will have those 4 pieces of information? I'm betting FAR too many for comfort
Oh, and of course:
While the IRS said that externally-acquired taxpayer data was used, the agency did suffer a security breach last year that allowed attackers to gain information such as Social Security information, date of birth and street address for over 300,000 taxpayers.
the IRS has already coughed this up before.
Who needs brute force when it's just a matter of entering the information you already have?