Zacks Investment Research reportedly suffered a data breach in 2024, exposing sensitive information from approximately 12 million accounts.
The American investment research firm provides data-driven insights through its proprietary stock assessment tool, ‘Zacks Rank,’ assisting investors in making informed financial decisions.
In late January, a threat actor posted data samples on a hacker forum, claiming the breach occurred in June 2024. The exposed data, available for purchase using cryptocurrency, includes full names, usernames, email addresses, physical addresses, and phone numbers. Despite multiple inquiries from BleepingComputer, Zacks has not responded to confirm the authenticity of the leaked data.
The hacker further claimed to have accessed the company’s active directory as a domain administrator and stolen the source code for Zacks.com and 16 other websites, including internal portals. Samples of the stolen source code were shared as proof of the breach.
The leaked database has now been listed on Have I Been Pwned (HIBP), a platform that allows users to check if their personal information has been compromised. HIBP verified that the database contained 12 million unique email addresses, IP addresses, usernames, physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes.
However, approximately 93% of the email addresses found in the breach had already been exposed in previous leaks associated with Zacks or other platforms.
Zacks has not officially confirmed this latest breach. If verified, it would mark the company's third major data breach in four years.
- January 2023: Zacks disclosed that hackers had infiltrated its networks between November 2021 and August 2022, compromising the personal data of 820,000 customers.
- June 2023: HIBP verified another leaked database originating from Zacks. The breach affected 8.8 million users, exposing email addresses, usernames, unsalted SHA-256 passwords, physical addresses, phone numbers, and full names.
- May 2020: Data from Zacks reportedly surfaced online, indicating an earlier security incident.
While no official confirmation has been issued, HIBP has verified the recent leak with a high degree of confidence, suggesting that the compromised data stems from a new security incident.
