Zacks Investment Research has suffered a data breach exposing nearly 12 million user accounts, according to reports on a hacking forum.
The breach, which allegedly occurred in June 2024, includes sensitive user information such as names, email addresses, physical addresses, phone numbers, usernames, IP addresses, and unsalted SHA-256 password hashes. This marks the second major cybersecurity incident for Zacks in recent years, following a confirmed breach in 2023.
The breach has just been added to Have I Been Pwned (HIBP) after the compromised data surfaced on a hacking forum last month. A user operating under the alias Jurak posted about the incident on BreachForums on January 24, claiming to have accessed Zacks' source code and databases containing 15 million lines of customer records. The leaked data reportedly includes a superset of records from the 2023 breach, meaning that it contains both previously stolen information and additional newly exposed user details.
CyberInsider
Jurak, who claims responsibility for the breach alongside another hacker known as StableFish, released samples of customer data, confirming the presence of email addresses, names, usernames, phone numbers, and encrypted passwords. While the source code was mentioned in the post, the hacker stated they were withholding it from public release but would share it privately with trusted individuals.
Zacks' role and potential impact
Zacks Investment Research, headquartered in Chicago, is a well-known provider of financial analysis, stock research, and investment recommendations. The company is particularly recognized for its Zacks Rank system, which helps investors assess stock performance. Its services cater to individual investors, financial advisors, and institutional clients, making it a valuable target for cybercriminals seeking financial data and personal information.
This latest breach follows a 2023 cybersecurity incident that Zacks confirmed at the time, though the company has yet to acknowledge or respond to inquiries regarding the 2024 breach. Attempts to contact the company regarding the recent leak have reportedly gone unanswered.
The leak of unsalted SHA-256 password hashes is particularly concerning because SHA-256, while cryptographically strong, is not ideal for password storage without salting, making it potentially easier for attackers to crack the hashes using brute-force methods. Additionally, the inclusion of physical addresses, phone numbers, and IP addresses raises the risk of phishing attacks, identity theft, and financial fraud.
Given the scope of the breach, affected users should take immediate action to secure their accounts and minimize risks. Recommended steps include:
- Change passwords immediately on Zacks and any other platform where similar credentials were used. Use a unique, strong password for each service.
- Enable multi-factor authentication (MFA) where possible to add an extra layer of security.
- Monitor email and phone communications for phishing attempts or suspicious login activity.
- Check financial accounts and credit reports for any signs of fraudulent activity.
Given Zacks' lack of response, it remains unclear whether affected users will receive official notifications or whether the company is actively addressing the breach, so maximum vigilance is advised.
Bitwarden Launches Cupid Vault for Secure Password Sharing
Leave a Reply