The personal information of over 8.9 million Zacks Investment Research users has been exposed in a data breach, with a database appearing on a cybercrime forum. Zacks, a prominent investment research firm specializing in stock research and analysis, had its archive reported by the data breach notification service Have I Been Pwned (HIBP).
The leaked records contain names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes.
Zacks had previously disclosed a data breach in January, affecting approximately 820,000 customers. The intrusion was discovered in late 2022, believed to have occurred between November 2021 and August 2022, and involved an older database of customers who signed up for the Zacks Elite product between November 1999 and February 2005.
While the company stated that there was no evidence of exposed financial data, the recent breach has put almost 9 million Zacks customers at risk.
The leaked database, which includes information up to May 2020, has raised concerns about the security and privacy of affected users. Zacks attempted to downplay the breach, claiming that threat actors only accessed encrypted passwords.
However, the availability of this extensive database in the cybercrime ecosystem poses a significant risk to Zacks Investment Research users. Impacted customers are urged to change their passwords for all online accounts using the same credentials, monitor financial accounts, and keep an eye on their consumer credit reports.
The company must take immediate action to address the breach, enhance security measures, and protect its customers from further harm.
