Zacks Investment Research

Zacks Investment Research, headquartered in the United States, operates as an investment research firm serving a substantial customer base. The organization's role in providing financial analysis and research tools is indicated by its commonly used alias, though specific product details are not elaborated in available records. The scale of its operations is evident from the magnitude of a 2020 data breach that impacted approximately 8.8 million individuals, suggesting a wide reach among individual investors and market participants. This incident underscores the firm's handling of sensitive personal information on a large scale, including email addresses, physical mailing addresses, and phone numbers, which are typical for entities offering personalized research services.

In May 2020, Zacks Investment Research experienced two distinct data security incidents. The first breach affected around 820,000 customers, compromising email addresses, usernames, unsalted SHA256 password hashes, physical addresses, phone numbers, and full names, while financial data remained secure. A subsequent, larger incident exposed information belonging to 8.8 million individuals, with the stolen dataset later publicly leaked on a hacking forum. This leak heightened risks for affected users, including credential stuffing attacks, phishing campaigns, and potential account hijacking. The use of unsalted SHA256 password hashes meant that passwords were stored without additional random values, making them more vulnerable to cracking via rainbow table attacks—a known weakness in cryptographic storage. In response to the initial smaller breach, the company initiated a password reset for impacted accounts. However, for the larger incident, most affected accounts were not protected by similar measures, leaving a vast number of users exposed despite existing security protocols. The breaches revealed significant vulnerabilities in the organization's data protection strategies, particularly regarding password hashing practices and the delayed or incomplete mitigation for the broader incident. The public dissemination of the data amplified long-term security concerns for millions of individuals whose personal details were now accessible to malicious actors, potentially facilitating identity theft and fraud beyond the immediate compromise of investment accounts.