Between January and May 2015, a sophisticated crime ring accessed the IRS’s ‘Get Transcript’ online application — which allowed taxpayers to retrieve prior-year tax returns — and obtained transcripts for approximately 100,000 US taxpayers by successfully answering identity verification questions. The attackers used previously stolen personal information (Social Security numbers, addresses, dates of birth, tax filing status, and more) from other data breaches to authenticate to the IRS system and retrieve tax transcripts. These transcripts were then used to file fraudulent tax returns and claim refunds. The IRS shut down the Get Transcript application on 21 May 2015. The IRS initially estimated 100,000 accounts accessed; subsequent investigation expanded this to approximately 334,000 accounts where thieves were able to access transcripts, and an additional 281,000 failed attempts blocked. The IRS sent letters to all affected taxpayers offering identity protection PINs for future filings. The total fraudulent refund claims associated with the breach were estimated at approximately $50 million. The attack was attributed to a Russian-speaking organised crime ring. IRS Commissioner John Koskinen testified before Congress. The breach illustrated the severe downstream risk of credential stuffing when personal data from other breaches is aggregated and used to defeat ‘knowledge-based authentication’ questions.