Have I Been Pwned warns of new Zacks data breach impacting 8 million


Zacks Investment Research (Zacks) has reportedly suffered an older, previously undisclosed data breach impacting 8.8 million customers, with the database now shared on a hacking forum.

The firm previously disclosed a data breach that occurred between November 2021 and August 2022, warning that unauthorized network intruders accessed the personal and sensitive information of about 820,000 customers.

“We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed,” mentioned Zacks’ notification at the time.

However, data breach notification service Have I Been Pwned (HIBP) listed an additional Zacks breach this weekend after being sent a database containing 8.8 million user records.

HIBP’s creator, Troy Hunt, told BleepingComputer that this database appears to have been dumped around May 10th, 2020, before the previous breach at Zacks.

Hunt told BleepingComputer that the database contains Zacks customers’ email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names, and other data.

Zacks newest data leak notice on HIBP
Zacks newest data leak notice on HIBP

Financial information like credit card and bank account details are not included in the dump, and it does not appear that the hackers accessed this type of data.

Unfortunately, Zacks had previously initiated a password reset procedure for the breach disclosed in January, but it can be assumed that the remaining 90% of breached accounts that weren’t identified as such were not included in the measure, leaving them exposed to account hijacking, credential stuffing, and SIM swapping.

While Zacks did not respond to questions from BleepingComputer, Hunt told us that Zacks plans on notifying impacted users, but there is no timeline for when this will be done.

Have I Been Pwned users can now enter their email address on the site and be notified if it was found in the newly leaked Zacks data.

Zacks data shared on hacking forum

Soon after adding the data breach to Have I Been Pwned, the Zacks database was posted on the Exposed hacking forum, a site used to share and sell stolen data.

Exposed is a recently-emerged new hacking forum that gained notoriety after leaking a database containing the details of almost half a million members of the now-defunct RaidForums.

Threat actor's post on Exposed forums
Threat actor’s post on Exposed forums
Source: BleepingComputer

Now that the database has been publicly leaked, threat actors will likely abuse it in phishing or credential-stuffing attacks.

Therefore, all Zacks users are strongly advised to change their passwords to unique ones only used at that site.

If you use the same Zacks password at other sites, you should change the passwords at those sites to a unique one as well.



Source link