Zacks Investment Data Breach Exposes 12 Million Users
A significant data breach at Zacks Investment Research has exposed the sensitive personal information of approximately 12 million users.
The breach, first reported by BleepingComputer, involved the leak of usernames, email addresses, physical addresses, phone numbers, and passwords (stored as unsalted SHA-256 hashes). This represents a substantial compromise of user data.
The Extent of the Zacks Investment Leak
The threat actor, who published data samples on a hacker forum, claimed to have gained access to Zacks’ active directory as a domain admin.
They then proceeded to steal source code from the main Zacks.com website and 16 other associated websites, including internal ones. Samples of this stolen source code were shared as proof of the breach. The data was made available to forum members for a small cryptocurrency payment.
The leaked Zacks Investment data was subsequently added to Have I Been Pwned (HIBP), a service that allows users to check if their data has been compromised in past breaches.
HIBP confirmed the presence of 12 million unique email addresses, along with IP addresses, names, and phone numbers in the leaked file. However, HIBP also noted that roughly 93% of the leaked email addresses were already in its database from previous breaches of Zacks or other services.
A Pattern of Breaches at Zacks Investment
This Zacks Investment leak is potentially the third major data breach impacting the company in the past four years. In January 2023, Zacks disclosed a breach affecting 820,000 customers, and in June 2023, another leak involving 8.8 million individuals was validated by HIBP.
While Zacks has not yet officially confirmed this latest incident, the evidence suggests a new breach. The possibility of the threat actor compiling information from other sources remains, but the volume and nature of the leaked data strongly suggest a direct breach of Zacks systems.
The Zacks Investment leak highlights the ongoing challenges companies face in protecting user data. The use of unsalted SHA-256 hashes for passwords, while not ideal, is a common practice.
However, the scale of this breach underscores the need for robust security measures and proactive monitoring to prevent future incidents. The impact of this Zacks Investment data leak on users is significant, and many may now be at risk of identity theft or financial fraud. Users are urged to monitor their accounts closely and take appropriate steps to protect themselves.
