Zacks Investment Research Data Breach Exposes Millions of User Records
Zacks Investment Research, a well-known financial data and analysis company, has reportedly suffered a significant data breach, affecting approximately 12 million users. This incident, the third major breach since 2022, has been highlighted by Bleeping Computer, which cited discussions on an underground hacking forum where sensitive personal data is allegedly for sale as a full dataset.
The breach has raised serious concerns about cybersecurity within the financial sector, particularly as it exposes critical user information, including names, usernames, email addresses, physical addresses, IP addresses, and phone numbers. The stolen data is being offered on the dark web in exchange for a small sum of cryptocurrency. A concerning figure mentioned by Have I Been Pwned? indicates that 93% of the compromised email accounts had previously been exposed in earlier security incidents.
This latest breach builds on earlier vulnerabilities faced by Zacks. A data leak in December 2022 resulted in the exposure of information from around 820,000 customers who had used Zacks Elite products nearly two decades ago. Another earlier breach in June 2023 disclosed information on over 8.8 million users, including sensitive details gathered from databases up to May 2020. Each of these incidents points to recurring security lapses within the organization.
The recent breach distinctly involved attackers gaining entry through domain administrator privileges, which allowed them to not only access sensitive user data but also steal source code from the company’s main website and additional internal resources. The tactics employed by these adversaries fall within several categories outlined in the MITRE ATT&CK framework, including initial access and privilege escalation, which facilitated their infiltration into Zacks’s systems.
As data breaches have become alarmingly commonplace, users and business owners alike are urged to prioritize cybersecurity measures. It is particularly essential for Zacks users to adopt advanced identity theft protection software and to vigilantly monitor their credit reports for any unusual activity.
Moreover, businesses should consider deploying robust antivirus solutions alongside additional security features like password managers and virtual private networks (VPNs). Cybersecurity awareness is crucial as criminals may leverage leaked data to engineer targeted phishing attempts through sophisticated, personalized communications.
For those concerned about their online information, data removal services can also be valuable in mitigating exposure on the internet. These services assist in reducing the availability of personal data while identity theft protection can help safeguard against unauthorized attempts to use this information.
While Zacks Investment Research has yet to issue an official statement confirming this breach, the extensive scale of the incident is alarming. Business leaders must proactively assess their cybersecurity infrastructure to prevent similar future attacks and to protect sensitive client data from being exploited in a volatile cyber threat landscape.
