Investment Research Firm Data Breach Affects 12 Million Customers

The Financial Sector Faces Growing Cybersecurity Threats

In recent years, the financial sector has become a prime target for cybercriminals, surpassing even the healthcare industry in terms of data breaches and ransomware attacks. Financial institutions, including banks, fintech companies, and investment research firms, are increasingly vulnerable to security incidents that compromise customer data.

The Zacks Investment Breach: A Major Security Incident

One of the latest and most notable cases is the breach involving Zacks, a prominent American investment research company. Initially, a hacker named “Jurak” claimed to have stolen 15 million customer records, but a subsequent investigation revealed that the actual number of affected individuals is around 12 million.

The breach first came to public attention in late January 2025, when Jurak announced on BreachForums that they had infiltrated Zacks’ systems as early as June 2024. The hacker gained domain administrator privileges for Zacks’ active directory, which is a crucial component of network security, enabling them to access sensitive source code and user account data from Zacks.com and 16 other affiliated websites. The stolen data was then listed for sale on hacker forums, with samples provided for a small cryptocurrency fee to demonstrate authenticity.

Details of the Breach and Its Implications

Following a thorough investigation, it was confirmed that the breach occurred in June 2024, exposing not only 12 million unique email addresses but also a variety of personal data. The sophistication of the attack, particularly the domain admin access gained by the hacker, raises concerns about potential vulnerabilities in Zacks’ network security protocols.

This isn’t the first time Zacks has faced such a crisis. Previous breaches include a significant incident in 2022 that compromised an older database from 1999 to 2005, as noted on Zacks’ breach disclosure page.

The Nature of the Exposed Data

The Zacks Investment breach, validated by Have I Been Pwned (HIBP), revealed a concerning array of sensitive information. The leaked data includes email addresses, IP addresses, names, phone numbers, physical addresses, usernames, and unsalted SHA-256 hashed passwords. Such information is a goldmine for cybercriminals and can lead to phishing attempts, identity theft, and other malicious activities.

Alarmingly, 93% of the exposed email addresses had already been compromised in previous breaches, exacerbating the risks associated with password reuse. The use of unsalted SHA-256 hashes, which are considered outdated and vulnerable, further heightens the danger, making it easier for attackers to crack passwords and gain unauthorized access to accounts.

Lack of Transparency from Zacks

Despite the serious nature of this breach, Zacks Investment Research has not yet issued an official statement as of February 2025. This lack of transparency raises significant concerns, particularly given the scale of the incident and the company’s history of security issues.

Proactive Measures to Protect Yourself

In light of the Zacks Investment data breach, it is crucial for individuals to take proactive steps to safeguard their personal information. Here are a few essential actions to consider:

1. **Stay Vigilant Against Phishing Attempts**: Cybercriminals often exploit stolen data to create convincing phishing messages. Be cautious of unsolicited communications that request personal or financial information, even if they appear legitimate. Strong antivirus software can help detect and prevent such threats.

2. **Consider Identity Theft Protection Services**: Given the exposure of sensitive information, investing in identity theft protection can provide an additional layer of security. These services monitor your accounts for fraudulent activity and can help freeze accounts if necessary.

3. **Enable Two-Factor Authentication (2FA)**: Activating 2FA on your online accounts adds an extra layer of security. Even if hackers obtain your login credentials, they will still need a second form of verification to access your accounts.

4. **Update Your Passwords**: Change passwords for any accounts that may have been affected and ensure you use unique, strong passwords for each account. Utilizing a password manager can simplify this process.

5. **Remove Personal Data from Public Databases**: If your information was exposed, consider utilizing data removal services that actively monitor and delete personal information from various websites. Although these services may come at a cost, they can significantly reduce your risk of identity theft.

The Broader Implications of the Zacks Investment Breach

The Zacks Investment breach serves as a stark reminder of the growing threat posed by cyberattacks in the financial sector. With millions of customers affected and personal data compromised, the risks of scams and identity theft are escalating. The limited communication from Zacks regarding the breach only adds to the uncertainty and concern for those impacted.

As these incidents become more prevalent, it is vital for individuals to remain vigilant about their online security. Implementing unique passwords, regularly monitoring accounts, and being alert to suspicious activities can help mitigate the risks associated with data breaches.

Do you believe stricter regulations are needed for companies regarding breach disclosures and customer data protection? Share your thoughts with us.

For more tips on cybersecurity and to stay updated on the latest security alerts, consider subscribing to our newsletter.