Intuit insists its systems were not breached. The company suggests that victims had their TurboTax login information stolen from "other sources outside the tax preparation process," possibly through a phishing scam or some other online attack.
Lisa Letchworth, who lives in Washington State, doesn't know how it happened, but crooks got into her TurboTax account. Last Tuesday, when she logged on to start her federal return, she got a nasty surprise. A message on the screen said her return had already been filed and the IRS was issuing a refund of $5,013 to someone else on a prepaid card.
Read MoreTurboTax 'messed up,' refunds customers
"It freaked me out," she said.
Letchworth was able to see the bogus return the criminals had filed. They had all the information from last year's return -- including the names and Social Security numbers of everyone in her family, employer names, even a special education credit she claimed.
"It's really frightening," she said. "It's painfully clear they got into my account."
Because the crooks filed first, Letchworth and her husband will have to prove to the IRS that they were the victims of identity theft. Letchworth said the IRS told them it could take six months to straighten out all the paperwork and get them their refund.
What's going on here?
Tax return fraud isn't new. It's been a massive problem for both the IRS and states with an income tax. The IRS reports that it has blocked more than $63 billion in fraudulent returns since 2011.
Online tax preparation software makes it easy for crooks to create a fake return. Having the refund deposited to a prepaid card provides a low-risk way to access the stolen money.
Read More Here's why companies are really leaving the US
And the crooks are getting better at beating the system.
Instead of using stolen Social Security numbers to create their fraudulent returns, they buy compromised credentials to gain access to past returns stored on tax preparation software. Using information from a real return to create a false one improves the odds that it will evade detection.
Security expert Brian Krebs told NBC News that he's found login credentials for TurboTax, H&R Block and similar services being sold on the dark web for just pennies each.
"Typically, the usernames and passwords for consumer accounts at these services are obtained via password-stealing malware that infects end-user PCs," Krebs writes on his blog.
What can you do to protect yourself?
If you use online tax preparation software, especially the kind that stores your completed tax returns, change your login information right away. That's really the only thing you can do.
Security experts believe this crime wave will get worse unless the states and the IRS deploy better procedures and more sophisticated software that can detect and stop possible return fraud.