Security researchers have discovered a compromise of Zacks Investment Research dating back to 2020. This seems to affect millions of customers.
The stock research and analytics firm has so far not publicly disclosed the incident. However, a post on the compromised site HaveIBeenPwned revealed large amounts of data covering nearly nine million customers widely shared on a popular hacking forum.
“The most recent data was dated May 2020 and contained names, usernames, email addresses, physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes,” the memo explains.
“In disclosing the larger breach, Mr. Sachs advised, in addition to the original report, that ‘unauthorized third parties have also gained access to encrypted data.'” [sic] zacks.com customer password, but only encrypted [sic] format. ‘”
Data exposure means customers should expect follow-on phishing and other attacks.
In January, the company revealed a data breach involving an estimated 820,000 customers, saying it occurred “sometime between November 2021 and August 2022.”
This particular incident involved a legacy database of customers who signed up for Zacks Elite products between November 1999 and February 2005, the company said at the time.
“The specific information that we believe was accessed was your name, address, phone number, email address, and password used on Zacks.com,” it added in the breach notice.
“We have no reason to believe that customer credit card information, other customer financial information, or other customer personal information was accessed.”
Customers are no doubt concerned not only by the scale of the newly revealed breach, but also by the fact that it went undetected for so long.
