Investment research data breach exposes 12 million customers

Finance Sector Faces Increasing Cybersecurity Threats

The finance sector has been experiencing a surge in data breaches and ransomware attacks, surpassing even the healthcare industry. Financial institutions, including banks, fintech companies, and investment research firms, are increasingly becoming targets for cybercriminals. The most recent incident involves Zacks, an American investment research company, where a hacker claimed to have stolen 15 million customer and client records. However, a subsequent investigation revealed that the actual number of records compromised was 12 million.

The Zacks Investment breach was first brought to light in late January 2025 when a hacker known as “Jurak” disclosed on BreachForums that they had gained unauthorized access to Zacks’ systems as early as June 2024. The hacker claimed to have obtained domain administrator privileges for Zacks’ active directory, enabling them to steal source code for Zacks.com and 16 other websites, as well as user account data. The stolen information was put up for sale on hacker forums, with samples available for purchase to verify its authenticity.

Further analysis confirmed that the breach occurred in June 2024, exposing 12 million unique email addresses and other personal data. The fact that the attacker managed to gain domain admin access suggests a sophisticated attack, potentially exploiting vulnerabilities in Zacks’ network security. This is not the first time Zacks has experienced a breach, as a previous incident in 2022 compromised an older Zacks Elite product database from 1999 to 2005.

The compromised data from the Zacks Investment breach includes email addresses, IP addresses, names, phone numbers, physical addresses, usernames, and unsalted SHA-256 hashed passwords. This sensitive information poses a significant risk to those affected, as it can be used for various malicious activities such as phishing, identity theft, credential stuffing, and SIM swapping. Additionally, 93% of the leaked email addresses had been previously exposed in other breaches, highlighting the issue of password reuse. The use of unsalted SHA-256 hashes further exacerbates the risk by making it easier for attackers to crack passwords.

Despite the severity of the breach, Zacks Investment Research has not released an official statement as of February 2025, raising concerns about transparency and accountability. In response to a breach of this scale, here are seven ways individuals can protect themselves:

1. Beware of phishing attempts and use strong antivirus software.
2. Invest in identity theft protection services.
3. Enable two-factor authentication on accounts.
4. Update passwords for affected accounts and use unique, strong passwords.
5. Remove personal data from public databases using data removal services.
6. Stay vigilant for signs of suspicious activity on accounts.
7. Follow cybersecurity best practices to enhance online security.

As cyberattacks continue to target financial institutions, it is essential for individuals to prioritize their online security and take proactive measures to safeguard their personal information. By implementing robust security practices and staying informed about cybersecurity threats, individuals can mitigate the risks associated with data breaches and protect themselves from potential harm.