Data breach of Zacks Research exposed on hacking forums, impacting 8 million

Have I Been Pwned, a service that notifies individuals of data breaches, has issued a warning about a massive data ;eak affecting Zacks Investment Research (Zacks).

The leak impacts approximately 8 million customers and came to light when a database containing 8.8 million user records from Zacks was discovered on the Exposed hacking forum.

Zacks had previously disclosed a separate data breach that occurred between November 2021 and August 2022, affecting around 820,000 customers. At that time, Zacks stated that there was no evidence to suggest that customer credit card information, financial details, or other personal information had been accessed.

The Have I Been Pwned service received a database containing 8.8 million user records, indicating a second breach at Zacks or a much wider scale of the reported breach than was shared with the public.

The compromised database contains various types of customer information, including

• email addresses,
• usernames,
• unsalted SHA256 passwords,
• addresses,
• phone numbers,
• first and last names,

Financial information such as credit card details and bank account numbers are not included in the leaked data.

It is worth noting that although Zacks had initiated a password reset procedure for the breach disclosed in January, it is likely that the remaining 90% of breached accounts, which were not identified as compromised, were not included in the password reset measure.

Given that the Zacks database has now been publicly exposed, it is highly likely that threat actors will exploit the data for phishing attempts or credential stuffing attacks (trying out the leaked passwords until one is successful).

It has been reported that Zacks intends to notify the affected users.