I just got spam to the unique tagged address I gave to the TaxAct people a while back when I bought their tax software. (Not this year, either.)
Relevant details:
Return-Path: <taxact.2003@eponder.com>
From: “taxact.com.g35d.k72a” <taxact.com.g35d.k72a@jlsouth.com>
To: “taxact.012504” <MUNGED@MY.DOMAIN>
Subject: Be the man of her dreams
… And yes, you guessed right, it’s penis pill spam. But they clearly know this is a list of TaxAct customers, meaning they’re well-placed to do phishing attacks based on tax information, especially if they got any other information.
I haven’t yet found out anything from TaxAct. If you used them, especially last year, be wary. If you know other people who have had to do taxes, you might warn them too.
(Edited to add: Apparently not the first time, someone I know had the same experience in June 2006. TaxAct, at the time, didn’t seem to feel it was a big deal or anything worth investigating.)