Zacks Investment Research (Zacks) has reportedly suffered an older, previously undisclosed data breach impacting 8.8 million customers, with the database now shared on a hacking forum.
The firm previously disclosed a data breach that occurred between November 2021 and August 2022, warning that unauthorized network intruders accessed the personal and sensitive information of about 820,000 customers.
"We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed," mentioned Zacks' notification at the time.
However, data breach notification service Have I Been Pwned (HIBP) listed an additional Zacks breach this weekend after being sent a database containing 8.8 million user records.
HIBP's creator, Troy Hunt, told BleepingComputer that this database appears to have been dumped around May 10th, 2020, before the previous breach at Zacks.
Hunt told BleepingComputer that the database contains Zacks customers' email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names, and other data.
Financial information like credit card and bank account details are not included in the dump, and it does not appear that the hackers accessed this type of data.
Unfortunately, Zacks had previously initiated a password reset procedure for the breach disclosed in January, but it can be assumed that the remaining 90% of breached accounts that weren't identified as such were not included in the measure, leaving them exposed to account hijacking, credential stuffing, and SIM swapping.
While Zacks did not respond to questions from BleepingComputer, Hunt told us that Zacks plans on notifying impacted users, but there is no timeline for when this will be done.
Have I Been Pwned users can now enter their email address on the site and be notified if it was found in the newly leaked Zacks data.
Zacks data shared on hacking forum
Soon after adding the data breach to Have I Been Pwned, the Zacks database was posted on the Exposed hacking forum, a site used to share and sell stolen data.
Exposed is a recently-emerged new hacking forum that gained notoriety after leaking a database containing the details of almost half a million members of the now-defunct RaidForums.
Source: BleepingComputer
Now that the database has been publicly leaked, threat actors will likely abuse it in phishing or credential-stuffing attacks.
Therefore, all Zacks users are strongly advised to change their passwords to unique ones only used at that site.
If you use the same Zacks password at other sites, you should change the passwords at those sites to a unique one as well.
Comments
johnlsenchak - 11 months ago
Have I Been Pwned now sends me notifications on data breaches on my email database that has over 300 addresses
wpontius - 11 months ago
Why wasn't this information encrypted? People's identity and lives could be stolen and ruined, you wait for months trying to hide this breach. People will be investing in lawyers for lawsuits.
Wannabetech1 - 11 months ago
From what I as a non professional have learned from commentors(?) on Bruce Schneier & Brian Krebs sites, security costs money and it's not a priority to the C-suites at companies. Besides that, there aren't really any consequences to breaches. They mumble a few things about "taking security seriously" and perhaps offering a year of "credit monitoring" and that's about it.