A database containing the personal information of more than 8.8 million Zacks Investment Research users has emerged on a hacking forum.
According to data breach notification service Have I Been Pwned, the database contains names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes.
Have I Been Pwned’s maintainer, Troy Hunt, says he contacted Zacks to disclose the larger breach and the company told him that the attackers only gained access to encrypted passwords.
According to Hunt, the new database emerged on June 10, 2023, and soon after it was “broadly circulated on a popular hacking forum”.
The most recent entry in the newly discovered database is dated May 2020, which suggests that Zacks might have not been aware of the leak when disclosing a data breach in January 2023.
At the time, Zacks said the data breach occurred sometime between November 2021 and August 2022 and that it impacted the personal information of roughly 820,000 individuals who signed up for one of its products between November 1999 and February 2005.
The company also said that customer credit card details and other financial and personal information was not compromised in the incident. Zacks said at the time that it reset the passwords for the impacted accounts.
With the database shared on a hacking forum, the affected individuals might fall victim to phishing and other types of attacks, especially if they are not aware of their personal information being exposed.
Zacks provides stock research, analysis, and recommendations for firms in the US.
Responding to a SecurityWeek inquiry, Zacks has provided the following statement:
We have confirmed that in association with the prior data breach disclosed by Zacks, which relates to a smaller subset of customers whose unencrypted passwords were compromised, the unauthorized third parties also gained access to encrypted passwords of zacks.com customers. We have no reason to believe any customer credit card information or any other customer financial information was accessed for any Zacks customer at any time. We have recommended that customers change their zacks.com passwords, as well as the password for all other online accounts for which they use the same e-mail address and password, and monitor financial accounts and consumer credit reports, although again, no financial information has been compromised. Zacks is also taking steps now to further enhance password security. We regret any inconvenience to our customers and we remain vigilant in protecting their personal information.
*updated with statement from Zacks