Did you know that Zacks Investment Research (Zacks) recently faced a data breach affecting 8.8 million customers? What’s more concerning is that this older, previously undisclosed breach has now been shared on a hacking forum.
Although the company had disclosed a data breach that took place between November 2021 and August 2022, impacting around 820,000 customers, this new information reveals a much larger problem.
At the time, Zacks claimed that no customer financial information or personal data was accessed. However, the data breach notification service Have I Been Pwned (HIBP) has now listed a separate Zacks breach after receiving a database containing 8.8 million user records.
HIBP’s creator, Troy Hunt, informed us that this database appears to have been dumped around May 10th, 2020, before the previously known breach at Zacks. The database contains an extensive amount of information, including customers’ email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names, and more.
Thankfully, financial information such as credit card and bank account details are not included in this leaked data. However, the damage has already been done for the remaining 90% of breached accounts that weren’t identified in the initial disclosure. These accounts have been left exposed to account hijacking, credential stuffing, and SIM swapping.
Zacks has not responded to our inquiries, but Troy Hunt told us that they plan to notify impacted users. Unfortunately, there’s no timeline for when this will happen. In the meantime, Have I Been Pwned users can enter their email address on the site and be notified if it was found in the newly leaked Zacks data.
What happens next?
Shortly after the data breach was added to Have I Been Pwned, the Zacks database showed up on the Exposed hacking forum. This site is known for sharing and selling stolen data and gained notoriety after leaking a database containing the details of nearly half a million members of the now-defunct RaidForums.
Now that the database has been leaked publicly, threat actors are likely to exploit it in phishing or credential-stuffing attacks. As a result, all Zacks users are strongly advised to change their passwords to unique ones that they only use for that site. If you’ve used the same Zacks password on other sites, it’s crucial to change those passwords as well.
Don’t wait until it’s too late. As a business owner, you need to be proactive in protecting your company’s and customers’ data. At ZZ Servers, we understand the importance of cybersecurity and are here to help. Contact us today to learn how our IT Services can assist you in safeguarding your valuable assets from potential threats.
