Investment Research Data Breach: 12 Million Customers at Risk

The Growing Threat of Cyberattacks in Finance

In recent years, the financial sector has emerged as a prime target for cybercriminals, surpassing even the healthcare industry in the frequency of data breaches and ransomware attacks. Financial institutions—including banks, fintech companies, and investment research firms—are increasingly susceptible to security incidents, raising concerns about the safety of customer data.

Zacks Investment Research: A Major Breach Exposed

The latest incident involves Zacks, a well-known American investment research company. Initially, a hacker claiming to be “Jurak” asserted on BreachForums that they had stolen 15 million customer records. However, subsequent investigations revealed that the actual number of compromised records is 12 million.

The breach came to light in late January 2025, with reports indicating that the hacker gained access to Zacks’ systems as early as June 2024. By acquiring domain administrator privileges for Zacks’ active directory—a crucial component of network security—the attacker was able to steal not only user account data but also source code for Zacks.com and 16 other websites, including internal tools. The stolen data was then listed for sale on hacker forums, with samples offered for a small cryptocurrency payment to demonstrate authenticity.

The breach highlights serious vulnerabilities in Zacks’ network security, as the attacker’s ability to gain domain admin access suggests a highly sophisticated operation.

A Troubling History of Breaches

This is not the first time Zacks has faced a data breach. In 2022, an attack compromised an outdated product database from Zacks Elite, covering the years 1999 to 2005, as noted on Zacks’ own breach disclosure page. The recurrence of such incidents raises questions about the company’s commitment to securing customer data.

What Information Was Exposed?

According to Have I Been Pwned (HIBP), the Zacks Investment breach exposed a range of sensitive user information, putting those affected at risk. The leaked data includes:

– Email addresses
– IP addresses
– Names
– Phone numbers
– Physical addresses
– Usernames
– Unsalted SHA-256 hashed passwords

The risk associated with this information is significant. It can be misused for various malicious activities, including phishing, identity theft, credential stuffing, harassment, and even physical threats. Alarmingly, 93% of the leaked email addresses had previously appeared in other data breaches, highlighting the dangers associated with reused passwords. Furthermore, the use of unsalted SHA-256 hashes—considered outdated—makes it easier for attackers to crack passwords and gain unauthorized access to accounts.

Lack of Transparency from Zacks

As of February 2025, Zacks Investment Research has not released an official statement regarding the breach, raising concerns about transparency and accountability. Given the scale of the incident and the company’s history of security lapses, the silence is especially troubling for those affected.

Protect Yourself: Steps to Take After a Data Breach

In the aftermath of the Zacks Investment breach, it’s essential for individuals to take proactive measures to safeguard their personal information. Here are some critical steps to consider:

1. **Beware of Phishing Scams**: After a breach, scammers often exploit stolen data to create convincing phishing messages. Be cautious when receiving unsolicited messages that ask for personal or financial details.

2. **Invest in Identity Theft Protection**: Consider using identity theft protection services that monitor your financial accounts and alert you to any signs of fraudulent activity.

3. **Enable Two-Factor Authentication (2FA)**: This adds an extra layer of security to your online accounts. Even if hackers obtain your login credentials, they won’t gain access without the second verification step.

4. **Update Your Passwords**: Change passwords for affected accounts and use strong, unique passwords for each one. A password manager can help you keep track of these.

5. **Remove Personal Data from Public Databases**: Consider using a data removal service to minimize your personal information’s exposure online, thereby reducing the risk of identity theft.

Conclusion: The Ongoing Threat of Cyberattacks

The Zacks Investment breach serves as a stark reminder of the persistent threat posed by cyberattacks in the financial sector. With millions of users affected and sensitive data compromised, the potential for scams and identity theft has intensified. The lack of communication from Zacks only adds to the uncertainty for those impacted.

As cyber threats continue to evolve, it is vital for individuals to prioritize online security by employing unique passwords, monitoring accounts closely, and remaining vigilant against suspicious activities.

Do you believe there should be stricter regulations regarding how companies disclose breaches and safeguard customer data? Share your thoughts with us.

For more tech tips and security alerts, subscribe to our newsletter.