Zacks Investment, a leading investment research company, has allegedly suffered a data breach that could see roughly 15 million customer records exposed.
A threat actor under the name Jurak posted on the dark web hacking forum BreachForums on 24 January 2025, claiming to have breached Zacks Investment in June last year.
Zacks is a major financial analysis provider best known for its Zacks Ranks platform used to assess stock performance. The post alleges that the stolen information contains source code as well as Zacks’ database, “containing 15 million customer lines of their customers and clients”.
This includes usernames, emails, passwords, addresses, full names, and phone numbers, according to the poster, who provided a sample of the customer data as proof.
Jurak added that they considered releasing the source code publicly but opted against it, stating trustworthy users with a ‘high reputation’ could request the source code by contacting them directly.
According to Have I Been Pwned, the stolen customer information is said to affect 12 million unique email addresses, stating the number of compromised accounts was 11,994,223.
It notes the customer information included unsalted SHA-256 password hashes, which raises serious concerns as they are vulnerable to cracking via brute force methods.
The threat actor, who spoke to BleepingComputer, said they used privileges of a domain admin to gain access to the company’s active directory and stole the source code for its primary domain (zacks.com) as well as 16 other sites.
ITPro has approached Zacks Investment Research but did not receive a response by the time of publishing.
Incident marks third Zacks Investment security breach
In its post announcing the breach, the user referred to a previous breach that took place in late 2022 and exposed sensitive information relating to 820,000 customers.
In a post acknowledging the incident, the firm stated that its team had identified that an unknown actor had gained unauthorized access to customer records.
The firm initially stated the exposed customer information was limited to those who had signed up for its Zacks Elite product between 1999 and February 2005.
Security shouldn't be an afterthought in the development process
However, the company later clarified that it had found the attackers had gained access to encrypted passwords of ‘zacks.com’ customers up to May 2020 in a second breach that took place in June 2023.
This database contained information such as the full names, emails, usernames, unsalted SH-256 passwords, addresses, and phone numbers of 8.8 million Zacks users.
This would take the total number of exposed users to over 21 million in the last four years.
MORE FROM ITPRO
