Cyber Incident Victim: Zacks Investment Research

Zacks Investment Research experienced two significant data breaches impacting customer information, with the first occurring around May 10, 2020, and a subsequent breach between November 2021 and August 2022. The 2020 breach remained undisclosed until June 2023, when Have I Been Pwned (HIBP) received and verified a database containing 8.8 million user records shared on the Exposed hacking forum. This database included email addresses, usernames, unsalted SHA256 password hashes, physical addresses, phone numbers, and full names. Financial data such as credit card numbers or bank account details were not present in the exposed records. The breach timeline preceded Zacks' previously disclosed 2021-2022 security incident that affected approximately 820,000 customers, about which the company had issued notifications stating no financial information was compromised. Following HIBP's analysis, the 2020 dataset was publicly leaked on the hacking forum, increasing risks of widespread misuse by threat actors. Zacks had implemented password resets for accounts linked to the 2021-2022 breach but did not extend this measure to the larger pool of 8.8 million affected users from the earlier incident. The company did not respond to media inquiries regarding the newly revealed breach but indicated through HIBP that notification to impacted individuals was planned without specifying a timeframe.

The exposure of 8.8 million customer records created substantial risks of credential stuffing attacks, account hijacking, and SIM swapping due to the inclusion of weakly protected passwords and personally identifiable information. HIBP integrated the breach into its notification service, enabling users to proactively check their exposure status. The public availability of the database on Exposed—a forum known for distributing stolen data—heightened the likelihood of malicious exploitation through phishing campaigns or automated login attempts across other platforms where users might have reused credentials. While Zacks' earlier password reset initiative addressed 10% of affected accounts tied to the 2021-2022 breach, the majority of users compromised in the 2020 incident remained unprotected by these measures at the time of disclosure. The absence of financial data in both breaches limited immediate monetary risks but did not mitigate threats to account security and identity fraud stemming from the exposed personal information. Public reporting emphasized the necessity for affected individuals to change passwords across all services sharing credentials with Zacks accounts, though the company itself had not issued formal guidance regarding the 2020 breach as of the latest available information.