80% of U.S. small business accounting data is entered and stored on one company’s software. Major professional CPA firms around the world use this company’s tax preparation software and trust the security controls are doing their job. During a Penetration Test, I discovered, and disclosed to the manufacture, a critical unauthenticated information leak/man-in-the-middle vulnerability in the way the tax preparation software transfers customer data between client and server. This vulnerability exposes all customer’s names, addresses, phone numbers, email addresses, social security numbers, job, spouse information, and more.