Zacks Investment hit in data breach - 12 million users potentially at risk

A computer being guarded by cybersecurity.

(Image credit: iStock)

A hacker posted a new thread on an underground forum
They claim to have stolen data on 12 million people from Zacks Investment Research
Zacks hasn't responded to media inquiries yet

Zacks Investment Research, a financial data, stock research, and analysis company based in Chicago, apparently suffered a cyberattack in which it lost sensitive data on millions of people.

A report by BleepingComputer cites a thread posted on an underground hacking forum claiming to have breached Zacks in June 2024, gaining sensitive information on 12 million people, including names, usernames, email addresses, postal addresses, and phone numbers.

The forum thread contained a small sample, and an offer for the entire batch in exchange for a “small cryptocurrency amount”.

Exposing the emails

Speaking to the attacker, the publication found that the attacker gained access to Zacks’ active directory as a domain admin, after which they stole the source code for the main site and 16 other assets. Zacks hasn’t responded to media inquiries yet.

At the same time, Have I Been Pwned?, a website aggregating email addresses exposed in data breaches, added the new batch, but said almost all (93%) were exposed in previous attacks.

Zacks is yet to comment on the claims of a data breach. However, it is no stranger to cyber-incidents. In December 2022, the company identified unauthorized access to certain customer records. The breach affected approximately 820,000 customers who had signed up for the Zacks Elite product between November 1999 and February 2005. Exposed information included names, addresses, phone numbers, email addresses, and passwords from an older database.

In June 2023, a database containing personal information of over 8.8 million Zacks users emerged on a hacking forum. The data, dated up to May 2020, included names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes.

Via BleepingComputer

The impact of the cyber insurance industry in resilience against ransomware
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.