Data Breach Exposes Millions of Customer Records at Zacks Investment Research
In recent news, Zacks Investment Research, a prominent American investment analysis firm, has fallen victim to a significant data breach that has compromised the personal information of millions of its customers. Security incidents in the financial sector continue to escalate, with Zacks being the latest target amidst a worrying trend of increasing cyberattacks against banks, fintech firms, and investment entities.
The breach gained public attention in late January 2025 when a hacker operating under the alias "Jurak" announced on the illicit forum BreachForums that they had infiltrated Zacks’ systems. The hacker claimed to have gained unauthorized access as early as June 2024. Subsequent investigations validated the breach, revealing that approximately 12 million unique email addresses, along with other sensitive data, were stolen.
The attacker’s claim of possessing domain administrator privileges to Zacks’ active directory—a critical network security component—signals a sophisticated level of breach. This access allowed the hacker to exfiltrate not only user account data but also proprietary source code for Zacks.com and an additional 16 related websites. The compromised data has reportedly been offered for sale on various hacker forums, with samples presented to potential buyers for cryptocurrency payments to prove authenticity.
Notably, the exposure of 12 million customer records underscores the pervasive vulnerabilities within financial institutions’ cybersecurity measures. Investigations indicate that the attack leveraged techniques aligned with the MITRE ATT&CK framework, likely involving initial access through exploiting vulnerabilities, privilege escalation, and potentially lateral movement within Zacks’ network.
This is not Zacks’ first experience with cybersecurity threats; the firm has faced previous breaches, including one in 2022 that targeted an outdated product database. The recurring nature of such breaches raises concerns regarding the robustness of Zacks’ security posture and its ability to protect sensitive customer information.
The compromised data encompasses a broad spectrum of personal information, including email addresses, IP addresses, physical addresses, names, phone numbers, usernames, and unsalted SHA-256 hashed passwords. Such information is ripe for misuse in phishing schemes, identity theft, and various other fraudulent activities. Alarmingly, a significant portion of the leaked email addresses had previously been exposed in earlier breaches, compounding the risk for individuals who reuse passwords across different platforms.
Despite the seriousness of the security incident, Zacks Investment Research has yet to release an official statement addressing the breach, causing uncertainty among the affected clientele. The lack of transparency during such critical incidents can lead to further unease and mistrust regarding data protection practices.
As organizations grapple with the evolving landscape of cyber threats, the Zacks Investment breach serves as a reminder of the vulnerabilities faced by financial institutions. Business owners should remain vigilant, adopting rigorous cybersecurity measures including the implementation of strict access controls, regular security audits, and education around cyber hygiene to reduce the risk of becoming victims of similar attacks.
In conclusion, as the frequency of cyberattacks surges, emphasizing proactive risk management and reinforcing cybersecurity infrastructures becomes paramount for financial institutions to safeguard sensitive customer data against increasingly sophisticated threats.