A database containing the personal information of more than 8.8 million Zacks Investment Research users has emerged on a hacking forum.
According to data breach notification service Have I Been Pwned, the database contains names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes.
Have I Been Pwned’s maintainer, Troy Hunt, says he contacted Zacks to disclose the larger breach and the company told him that the attackers only gained access to encrypted passwords.
According to Hunt, the new database emerged on June 10, 2023, and soon after it was “broadly circulated on a popular hacking forum”.
The most recent entry in the newly discovered database is dated May 2020, which suggests that Zacks might have not been aware of the leak when disclosing a data breach in January 2023.
At the time, Zacks said the data breach occurred sometime between November 2021 and August 2022 and that it impacted the personal information of roughly 820,000 individuals who signed up for one of its products between November 1999 and February 2005.
The company also said that customer credit card details and other financial and personal information was not compromised in the incident. Zacks said at the time that it reset the passwords for the impacted accounts.
With the database shared on a hacking forum, the affected individuals might fall victim to phishing and other types of attacks, especially if they are not aware of their personal information being exposed.
Zacks provides stock research, analysis, and recommendations for firms in the US.
Responding to a SecurityWeek inquiry, Zacks has provided the following statement:
We have confirmed that in association with the prior data breach disclosed by Zacks, which relates to a smaller subset of customers whose unencrypted passwords were compromised, the unauthorized third parties also gained access to encrypted passwords of zacks.com customers. We have no reason to believe any customer credit card information or any other customer financial information was accessed for any Zacks customer at any time. We have recommended that customers change their zacks.com passwords, as well as the password for all other online accounts for which they use the same e-mail address and password, and monitor financial accounts and consumer credit reports, although again, no financial information has been compromised. Zacks is also taking steps now to further enhance password security. We regret any inconvenience to our customers and we remain vigilant in protecting their personal information.
*updated with statement from Zacks
Related: Intellihartx Informs 490k Patients of GoAnywhere-Related Data Breach
Related: Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
Related: Brightly Software Notifying 3 Million SchoolDude Users of Data Breach
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
