But these aren't phishing victims. The IRS deployed a system which returns a treasure trove of personal information to anyone who presents a few shared secrets. This is a fundamentally flawed authentication mechanism devised by the IRS.
Those shared secrets were likely obtained by either phishing or a data breach. There's no indication thus far that the IRS was the source of the information that let people obtain these returns.
