A day or two ago, some QuickBooks users and ProAdvisors began receiving a somewhat suspicious looking notification from The QuickBooks Enterprise Team.
We're here to tell you that the notice is real. It is not phishing email. I'll repeat that – It is not a phishing email.
Apparently, the notice below went out to 12,000 (+/-) inactive QuickBooks Enterprise 16 customers. These users are those who purchased QuickBooks Enterprise, but who discontinued their Full Support Plan and were not on the monthly subscription plan.
Intuit
Real or Fake Notification
By the way, we have redacted the identifications shown in the above notice, and none of the links shown in the graphic above are live. Our intent is to advise you as to the legitimacy of this notice and discuss the issues and ramifications associated with it.
In the notification, Intuit says it has identified a security vulnerability in QuickBooks Desktop software, and while it is not aware of any cases where fraudsters or others have taken advantage of this vulnerability, it could allow a cyber criminal to access QuickBooks Desktop data that has not been updated to newer releases or patched with this update.
The QuickBooks Desktop Enterprise team advises users of QuickBooks Enterprise Solution (QBES) 16.0 to download the latest "entitled" version of QuickBooks Enterprise Solution 16.0. This version includes new features that eliminates the security vulnerability.
These features include password controls to verify that anyone attempting to access your QuickBooks Desktop company file is authorized.
The key words above are "latest entitled version" (our quotations, not Intuit's). I assume this is why it is only addressing the R1, R3 and R5 releases of the product in terms of providing download links.
I want to call your attention to the fact that it also indicates that the update – "features include password controls to verify that anyone attempting to access your QuickBooks Desktop company file is authorized."
In other words, these update patches for whichever release (R1, R3 and R5) will implement the security and password changes that many people chose not to accept and therefore decided not to migrate beyond R5.
Intuit also is reminding customers (even inactive ones still using its products) of precautions that should always be taken to protect their accounts and data including:
- Customers should set up a strong password for their QBES company file. The password should include unique letters and numbers, and should not be basic words that can easily be found online or in a dictionary.
- Customers should protect all personal information. Never give out a username or password and use different passwords for each QBES user account.
- Intuit also recommends that all customers upgrade to new versions of QuickBooks Enterprise such as QuickBooks Enterprise Solution (QBES) 17.0.
Once again, for users receiving the notice, the instructions and links included are all official Intuit notifications and active Intuit links. The notice provides links so that you can download and install the "latest entitled version" of QBES, including QBES 16.0 R1, QBES 16.0 R3 and QBES 16.0 R5.
Users will have to decide if they're going to "update" according to the notification provisions or just keep using QuickBooks Enterprise 2016 as they currently are using it without the security solution associated with the notification.
The choice is up to you.