Have I Been Pwned?, a service that notifies people when their sensitive information is leaked online following a data breach, has listed a previously undisclosed database apparently stolen in early May 2022 from Zacks Investment Research.
Speaking to BleepingComputer, HIBP founder Tory Hunt said the database was listed on a hacking forum called Exposed, and carried 8.8 million personally identifiable data records.
The database contains email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, full names, and other data belonging to Zacks customers. Other important information, such as credit card information, or bank account details, were not listed in the database, it was added. The publication states there is no evidence such data was accessed by the hackers at all.
Analysis: Why does it matter?
Some people refer to data as the gold of the 21st century. While legitimate businesses are trying different tactics to legally obtain as much information on their customers as possible, to use it for personalization efforts and tailored offerings, hackers are focused on stealing this data and using it in different ways. The easiest thing is to simply sell it to a third party on a dark web forum and make a profit. Some threat actors sometimes engage in ransom negotiations with the victims, demanding payment in Bitcoin and other cryptocurrencies in exchange for deleting the data. Others use it to run more sophisticated cyberattacks, such as malware attacks, identity theft, SIM swapping, wire fraud, and more.
Zacks Investment Research is an American company publishing research and other content related to investing. It was founded in 1978 by Len Zacks, a Ph.D. scholar from MIT. He used the insights gathered while pursuing the Ph.D. to kickstart the company. Zacks provides financial data and analysis to professional investors, and owes its popularity partly to its earnings-per-share (EPS) estimates, Investopedia claims.
In recent times, Zacks started publishing research reports and recommendations for different stocks, funds, and similar.
For the company, this data breach hits somewhat harder, given that the company disclosed a different data breach that happened sometime between November 2021 and August 2022. In this, separate incident, threat actors made away with sensitive data on almost a million customers (820,000). In that attack, it was also said that hackers did not steal financial information.
“We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed,” the company said at the time.
To mitigate the problem, Zacks engaged in a mandatory password reset for all users in January 2022. “When you log into your Zacks account, you will be prompted to change your password,” the company told its users. “You should also change the password for all other online accounts for which you used the same e-mail address and password as your Zacks account.”
However, given that the newly discovered incident probably happened earlier, the compromised accounts were likely not included in the password reset procedure.
According to Troy Hunt, Zacks plans on notifying all of the affected customers of the incident, but at press time, there’s still no timeline on when this might happen. Users suspecting they might have been affected can head over to HaveIBeenPwned? and type in their email address to see if they were indeed compromised.
Exposed, the forum where the data leaked, is relatively new. It rose after RaidForums, which was by far the most popular underground meeting ground for cybercriminals, was raided by the police and the servers confiscated. The forum’s founder and chief administrator, a 21-year-old Diogo Santos Coelho, of Portugal, was arrested in the UK at the US’ request. The US now seeks his extradition, but his lawyer says the move would risk Coelho’s health, as he is autistic.
What have others said?
This incident is closely related to one that happened between November 2021 and August 2022. Back in January 2023, SecurityWeek reported of the data breach, referring to a letter the company issued to impacted customers. In the copy of the letter, submitted to the Maine Attorney General, it was said that an unauthorized third party accessed an older database, in which they found customer data for people that signed up between November 1999 and February 2005.
In a separate report by BleepingComputer, it was said that now that the database has been publicly leaked, there is a good chance other threat actors will try to use the data found in it to engage in phishing or credential-stuffing attacks. Hence, all Zacks users are “strongly advised” to change their passwords as soon as possible. Also, given that users often use the same passwords across a multitude of services, if they’ve been using the same password on Zacks and elsewhere, they should change the passwords on other services, as well.
At press time, Zacks did not address the issue on Twitter, or Reddit. The popular internet forums were also quiet on the news, with no comments from potentially affected customers.
If you want to learn more about staying safe online, start by learning what is phishing, or what is multi-factor authentication. Also, make sure to check out our buying guide for the best password managers, as well as best password generators out there.