Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts.
Zacks is an American investment research company that provides its customers data-driven insights through a proprietary stock performance assessment tool called ‘Zacks Rank’, to help with making informed financial decisions.
In late January, a threat actor published data samples on a hacker forum, claiming a breach at Zacks in June 2024 that exposed data of millions of customers.
The published data, available to forum members in exchange for a small cryptocurrency amount, contains full names, usernames, email addresses, physical addresses, and phone numbers.
Source: BleepingComputer
BleepingComputer contacted Zacks multiple times to ask about the authenticity of the data, but we have not heard back.
However, the threat actor told BleepingComputer that they gained access to the company’s active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach.
Earlier today, the leaked Zacks database was added to Have I Been Pwned, a website where users can check if their personal data has been compromised.
HIBP confirmed that the file included 12 million unique email addresses, along with IP addresses, names, passwords in the form of unsalted SHA-256 hashes, phone numbers, physical addresses, and usernames.
However, the service also notes that roughly 93% of the leaked email addresses were already in its database from past breaches of the same platform or other services.
No official confirmation
Zacks has not confirmed the alleged breach but if the data leak proves to be the result of a new hack, it may be the third major data breach impacting the company in the past four years.
In January 2023, Zacks disclosed that hackers had breached its networks between November 2021 and August 2022, and gained access to sensitive information of 820,000 customers.
A few months later, in June 2023, HIBP validated a separate database originating from Zacks, and which had been leaked earlier.
That database contained email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, and the full names of 8,8 million individuals using Zacks’ services.
According to Troy Hunt, the creator of the HIBP service, the data appeared to have been dumped in May 2020, indicating that it resulted from an older incident.
The latest leak of Zacks customers, while not officially validated, has been verified by HIBP before adding it to the service and there is a very high degree of confidence that it comes from a new incident.
It should be noted that there is also the possibility of threat actors scraping the information from other services and compiling a database with user information associated with Zacks.