A database containing the personal information of more than 8.9 million Zacks Investment Research users was leaked on a cybercrime forum.
A database containing personal information of 8,929,503 Zacks Investment Research users emerged on a popular hacking forum on June 10, 2023.
Zacks is the leading investment research firm focusing on stock research, analysis, and recommendations.
The availability of the archive was reported by the data breach notification service Have I Been Pwned, which notified Zecks. According to HIBP, the records in the database contain names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes.
The company attempted to downplay the security breach by telling Have I Been Pwned that threat actors only had access to encrypted passwords.
In January, Zacks Investment Research (Zacks) disclosed a data breach, the company reported that the security incident may have affected the personal information of its 820,000 customers.
The company discovered the intrusion at the end of 2022, it believes the unauthorized access took place sometime between November 2021 and August 2022.
According to the notice, threat actors had access to an older database of customers who had signed up for the Zacks Elite product between November 1999 through February 2005.
At the time, the company added that it had no evidence that financial data has been exposed due to the security incident.
“In December 2022, the investment research company Zacks announced a data breach. The following month, reports emerged of the incident impacting 820k customers. However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum. The most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes.” reported HIBP. “On disclosure of the larger breach, Zacks advised that in addition to their original report “the unauthorised third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format”.”
The company also had reset the password of compromised accounts in response to the security breach.
HIBP pointed out that the most recent record in the leaked database is dated May 2020.
Impacted customers should also change the password for all other online accounts for which they used the same credentials as their Zacks account. Customers are also recommended to monitor financial accounts and consumer credit reports.
The availability of the database in the cybercrime ecosystem poses a severe risk for the company users.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Zacks Investment Research)
Share On