Zacks Investment Research (Zacks), a renowned financial research firm, has recently disclosed an older, previously undisclosed data breach that has affected a staggering 8.8 million customers. The data breach, which resulted in the compromise of sensitive customer information, has led to the circulation of the compromised database on a notorious hacking forum.

About the data breach & its compromises

This incident comes in the wake of Zacks' earlier admission of a data breach that occurred between November 2021 and August 2022, affecting approximately 820,000 customers. At that time, Zacks assured its customers that there was no indication of unauthorized access to credit card information, financial details, or other personal data.

The data breach notification service, Have I Been Pwned (HIBP), has added another Zacks breach to its database. HIBP received a collection of 8.8 million user records. Troy Hunt, the creator of HIBP, stated that the leaked database dates back to May 10th, 2020, predating the previous breach.

The compromised database contains various customer information, including email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, and first and last names. No financial information was included in the dump. Credit card or bank account details were not compromised. Hackers did not access this sensitive data.

Regrettably, while Zacks had previously initiated a password reset procedure for the breach disclosed in January, likely, the remaining 90% of breached accounts were not covered by this measure. As a result, these accounts are now vulnerable to account hijacking, credential stuffing, and SIM-swapping attacks.

Although Zacks has not responded to any inquiries as it has been confirmed that the company intends to notify affected users. However, no specific timeline has been provided for when this notification process will take place.

Have I Been Pwned users can now check if their email addresses were compromised in the latest Zacks data leak? This proactive measure will help users stay informed about potential security risks related to their accounts.

Unfortunately, shortly after adding the Zacks data breach to Have I Been Pwned, the compromised database was shared on the Exposed hacking forum. This newly emerged hacking forum has gained notoriety for its involvement in disseminating and selling stolen data. Notably, the forum previously leaked a database containing details of nearly half a million members from the now-defunct RaidForums.

Implications & Potential Threats

With the public release of the Zacks database, threat actors will likely exploit this information for malicious purposes, such as phishing or credential-stuffing attacks. Therefore, all Zacks users are strongly urged to change their passwords immediately. They should also ensure unique passwords are used exclusively for their Zacks accounts.

Additionally, if users employ the same password for other online platforms, it is crucial to change those passwords as well, using distinct ones for each site. This proactive measure significantly reduces the risk of account compromise across multiple platforms.

Zacks' Response and Enhanced Security Measures

Zacks Investment Research acknowledges the severity of this incident and expresses regret for any inconvenience it may have caused its customers. Recognizing the prevalence of cybercriminal activity in our digital society, Zacks remains committed to safeguarding customer information by continuously enhancing its cybersecurity efforts and implementing additional security measures.

To address any concerns or queries related to this incident, Zacks has established a toll-free response line. Customers can contact the support team at 1-855-813-3507, Monday through Friday, between 9:00 a.m. and 5:00 p.m. Central time.

Zacks Investment Research remains dedicated to providing transparent communication and protecting the personal information of its valued customers. In light of this breach, Zacks urges its customers to regularly update their passwords for zacks.com and other online accounts and to monitor their financial accounts and consumer credit reports diligently.