What happened in the latest Zacks Investment Research data breach?

Zacks Investment Research experienced a significant data breach affecting approximately 12 million user accounts. The breach reportedly occurred in June 2024, with data samples being published on a hacker forum in late January 2025.

What types of information were exposed in the breach?

The exposed data includes full names, usernames, email addresses (12 million unique addresses), physical addresses, phone numbers, passwords (in unsalted SHA-256 hash format), and IP addresses.

Has the breach been verified?

Yes, Have I Been Pwned (HIBP) has verified and added the leaked database to their service. They noted that approximately 93% of the exposed email addresses were already present in their database from previous breaches.

Has Zacks experienced previous data breaches?

Yes, this is the third major data breach for Zacks in the past four years. Previous breaches include one in May 2020 affecting 8.8 million users (verified by HIBP) and another between November 2021 and August 2022 impacting 820,000 customers (disclosed by Zacks in January 2023).

How many users were affected by this breach?

The breach affected approximately 12 million user accounts, as evidenced by the number of unique email addresses exposed.

What is the potential impact of the exposed passwords?

The passwords were stored in unsalted SHA-256 hash format, which could potentially be cracked by attackers. This format is considered less secure than modern password hashing methods, potentially putting users at risk if they reused these passwords on other services.

Incident

Zacks Investment Research user data breached, hacker leaks info of 12 million users

published: Feb. 13, 2025

Learn More

Zacks Investment Research, an American investment research company, has reportedly experienced another significant data breach affecting approximately 12 million user accounts. In late January 2025 a threat actor published data samples on a hacker forum, claiming the breach occurred in June 2024.

The exposed data includes:

Full names
Usernames
Email addresses (12 million unique addresses)
Physical addresses
Phone numbers
Passwords (in unsalted SHA-256 hash format)
IP addresses

According to the threat actor, they gained domain admin access to the company's active directory and successfully exfiltrated the source code for the main Zacks.com website and 16 additional websites, including internal ones.

Have I Been Pwned (HIBP) has verified and added the leaked database to their service, noting that approximately 93% of the exposed email addresses were already present in their database from previous breaches.

This incident appears to be the third major data breach for Zacks in the past four years:

May 2020: 8.8 million users affected (verified by HIBP)
November 2021-August 2022: 820,000 customers impacted (disclosed by Zacks in January 2023)

Zacks Investment Research user data breached, hacker leaks info of 12 million users

Read More
Paysign investigates data breach claims on hacking forum
United Bank reports MOVEit related data breach
ABN Amro reports possible client data breach in …
Egyptian fintech Fawry denies breach even though listed …
Vallianz Holdings reports ransomware attack, claims minimal impact