February 24, 2015

To Users of 990 and ePostcard (990-N):

The Urban Institute’s National Center for Charitable Statistics (NCCS) recently discovered that an unauthorized party or parties have accessed the Form 990 Online and e-Postcard filing systems for nonprofit organizations. This unauthorized access affected nonprofit users of IRS Forms 990, 990-EZ, and 990-N (e-Postcard). In addition, it affected users of Form 8868 extensions and filings for charitable organizations in Hawaii, Michigan, and New York.

We regret to inform you that the username, first and last name, email address, IP address, phone number and password associated with your nonprofit organization were compromised in this incident.

Once we discovered the attack, we contacted IRS and made every effort to secure the systems and user accounts. We are working with law enforcement agencies as they conduct an investigation. In addition, we have retained a leading cybersecurity firm to help us analyze the situation and strengthen security.

Currently we believe no information from the filings themselves was compromised. These forms do not contain Social Security numbers, credit card data or individual tax filer information, so this sensitive information was not available to the hackers. Copies of the 990 returns, including the e-Postcard, are public documents that are released by the IRS.

If you use the same password for your organization’s Form 990 Online and e-Postcard that you do for other websites or applications, we strongly encourage you to change it immediately in each of those instances, as well as on these systems.

To change your password on the Form 990, click here.

To change your password on the e-Postcard, click here.

To enhance security, all users accessing the Form 990 Online and e-Postcard systems are required to change their passwords upon logging in – or when they logged in most recently. We encourage you to be alert for unusual or suspicious emails and use caution when clicking on links or opening attachments from unknown senders.   

We sincerely apologize for this disruption and any inconvenience this incident may cause you. We have a strong commitment to privacy and data security, and we are continuing to do everything we can to protect against future attacks. Our investigation is ongoing, and we will let you know if it reveals new information that is relevant to your account.

If you have any questions, please visit our FAQ where you can obtain further information. While you can’t reply directly to this email, you can email us at [email protected] or call 1-800-564-9110 if you have more questions.


Elizabeth Boris

Director, Center on Nonprofits and Philanthropy at the Urban Institute