Zacks data breach affects 8.8 million users

Zacks Investment Research (Zacks) has suffered a previously undisclosed data breach affecting approximately 8.8 million customers.

Notably, Zacks had a data breach between November 2021 and August 2022 in which unauthorized cyber attackers "accessed" the sensitive personal information of approximately 820,000 customers. However, Zack claimed in a briefing at the time that it had no reason to believe that any customer credit card information, any other customer financial information, or any other customer personal information had been accessed.

Zacks massive data breach

The data breach lookup site Have I Been Pwned (HIBP) listed a new Zacks breach late last week after receiving a database containing 8.8 million user records.

Troy Hunt, creator of HIBP, said the database appears to have been dumped around May 10, 2020 (before the first disclosed leak of 820,000 customer information).

In addition, Hunt noted that the leaked database contained Zacks customers' email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names and other data information.

It was noted that the cyber attackers did not have access to financial information such as credit cards and bank accounts. Unfortunately, Zacks had previously initiated a password reset process for the vulnerability disclosed in January, but 90 percent of accounts not identified as vulnerable were not included in the measure, leaving them open to account hijacking, credential stuffing and SIM card exchange security risks.

Zacks data appears on hacking forums

Shortly after the data breach was added to Have I Been Pwned, the Zacks database was posted on the Exposed hacker forum. (The forum, a site for sharing and selling stolen data, is notorious for leaking a database containing the details of nearly half a million members of the now-defunct RaidForums.)

Finally, given that the database has now been publicly compromised, threat attackers may be able to misuse it in phishing or credential stuffing attacks. Therefore, it is strongly recommended that all Zacks users change their passwords to a unique password used only on this site, and if the same Zacks password is used on another site, it is recommended that the password be changed immediately.