A new cyber attack has exposed the data of 12 million Zacks Investment Research customers, marking a significant Zacks Investment Research Breach.
This latest incident, following previous breaches in 2020, 2022, and 2023, highlights the ongoing vulnerability of financial services firms to sophisticated cyberattacks. The breach, allegedly perpetrated by the threat actor “Jurak” in collaboration with “StableFish,” involved the compromise of sensitive customer data and source code.
The data, reportedly originating from a June 2024 incident, includes usernames, passwords (stored as unsalted SHA-256 hashes), customer IDs, first and last names, email addresses, time zone codes, last password change dates, and IP and physical addresses.
This information, totaling 15 million lines across 13 database tables, was offered for sale on the dark web. The source code itself remains undisclosed, but the threat actor is actively seeking buyers.
This Zacks Investment Research Breach represents a serious risk. The exposure of source code could lead to further vulnerabilities being exploited. The reputational damage to Zacks is significant, particularly given previous breaches. The company also faces potential violations of SEC regulations and data privacy laws, leading to substantial fines.
For affected customers, the implications are severe. Identity theft, credential exploitation, and privacy concerns are all major risks. Customers should immediately change their passwords associated with Zacks and enable two-factor authentication (2FA).
They should also monitor their bank accounts and investment platforms for suspicious activity and remain vigilant against phishing attempts.
Key Details of the Zacks Investment Research Breach:
- Date of Breach: June 2024 (discovered and reported in late January 2025)
- Threat Actor: Jurak (in collaboration with StableFish)
- Data Compromised: 12 million unique email addresses, IP and physical addresses, names, usernames, phone numbers, unsalted SHA-256 password hashes, and source code. Totaling 15 million lines of data across 13 tables.
- Data Source: Zacks Investment Research databases and source code repositories.
- Data Location: Dark Web (http://breached26tezcofqla4adzyn22notfqwcac7gpbrleg4usehljwkgqd.onion/Thread-DATABASE-Zacks-com-Breach)
Recommendations:
Zacks Investment Research needs to conduct a thorough investigation, notify affected clients and regulatory authorities, and rotate credentials and API keys. They must also enhance encryption, conduct regular penetration testing, implement robust access controls, and improve employee cybersecurity awareness training.
This Zacks Investment Research Breach underscores the critical need for robust cybersecurity measures within the financial services industry. Joining industry groups like the Financial Services Information Sharing and Analysis Center (ISAC) can provide valuable insights and resources to mitigate future risks.
