In late January, a threat actor published data samples on a hacker forum, claiming a breach at Zacks in June 2024 that exposed data of millions of customers. Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts. The published data, available to forum members in exchange for a small cryptocurrency amount, contains full names, usernames, email addresses, physical addresses, and phone numbers. However, the threat actor told BleepingComputer that they gained access to the company's active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach. That database contained email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, and the full names of 8,8 million individuals using Zacks’ services. HIBP confirmed that the file included 12 million unique email addresses, along with IP addresses, names, passwords in the form of unsalted SHA-256 hashes, phone numbers, physical addresses, and usernames. Zacks has not confirmed the alleged breach but if the data leak proves to be the result of a new hack, it may be the third major data breach impacting the company in the past four years. Earlier today, the leaked Zacks database was added to Have I Been Pwned, a website where users can check if their personal data has been compromised. The latest leak of Zacks customers, while not officially validated, has been verified by HIBP before adding it to the service and there is a very high degree of confidence that it comes from a new incident. Zacks is an American investment research company that provides its customers data-driven insights through a proprietary stock performance assessment tool called ‘Zacks Rank’, to help with making informed financial decisions. In January 2023, Zacks disclosed that hackers had breached its networks between November 2021 and August 2022, and gained access to sensitive information of 820,000 customers. A few months later, in June 2023, HIBP validated a separate database originating from Zacks, and which had been leaked earlier. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. It should be noted that there is also the possibility of threat actors scraping the information from other services and compiling a database with user information associated with Zacks. According to Troy Hunt, the creator of the HIBP service, the data appeared to have been dumped in May 2020, indicating that it resulted from an older incident. BleepingComputer contacted Zacks multiple times to ask about the authenticity of the data, but we have not heard back. However, the service also notes that roughly 93% of the leaked email addresses were already in its database from past breaches of the same platform or other services.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 13 Feb 2025 17:40:03 +0000