12 Million Zacks Investment Accounts Exposed in Latest Hacking Scandal

In a shocking revelation, Zacks Investment Research, a prominent American investment research firm, has reportedly suffered another significant data breach. Sensitive information related to approximately 12 million user accounts was exposed, marking the third major breach impacting the company in the past four years. The leaked data includes full names, email addresses, physical addresses, phone numbers, and unsalted SHA-256 password hashes, raising serious concerns about user privacy and cybersecurity.

Zacks Investment Research: An Overview

Zacks Investment Research is a well-known name in the financial services industry, providing data-driven insights and tools to help investors make informed decisions. Its proprietary stock performance assessment tool, Zacks Rank, is widely used by individual and institutional investors alike. The company’s reputation for delivering reliable financial analysis makes this breach particularly alarming, as it undermines trust in its ability to safeguard sensitive user data.

The Breach: What Happened?

The breach came to light in late January 2025, when a threat actor posted data samples on a popular hacker forum. The hacker claimed to have accessed Zacks’ systems in June 2024, exfiltrating data from millions of user accounts. The leaked information was made available to forum members in exchange for a small cryptocurrency payment, further highlighting the monetization of stolen data in the cybercriminal underworld.

According to the threat actor, they gained access to Zacks’ Active Directory as a domain admin, allowing them to steal source code for the company’s main website (Zacks.com) and 16 other associated websites, including internal platforms. The hacker shared samples of the stolen source code as proof of the breach, adding credibility to their claims.

What Data Was Leaked?

The leaked database, which has since been added to Have I Been Pwned (HIBP), contains the following information:

1. Full names
2. Email addresses
3. Usernames
4. Physical addresses
5. Phone numbers
6. Unsalted SHA-256 password hashes
7. IP addresses

HIBP confirmed that the database includes 12 million unique email addresses, with a significant portion (approximately 93%) already present in its database from previous breaches. This suggests that many affected users may have been compromised in prior incidents, underscoring the persistent vulnerability of Zacks’ systems.

No Official Confirmation from Zacks

Despite the severity of the breach, Zacks Investment Research has not officially confirmed the incident. Multiple attempts to contact the company for comment have gone unanswered, leaving users and cybersecurity experts in the dark about the full extent of the damage. The lack of transparency has fueled frustration among customers, who are left wondering whether their personal information is at risk.

A History of Breaches

This latest incident is not the first time Zacks has faced a data breach. In January 2023, the company disclosed that hackers had infiltrated its networks between November 2021 and August 2022, compromising sensitive information of 820,000 customers. Just a few months later, in June 2023, HIBP validated another database originating from Zacks, which contained data from 8.8 million users. That breach was traced back to an earlier incident, with data reportedly dumped in May 2020.

The recurrence of such breaches raises serious questions about Zacks’ cybersecurity practices. Despite previous incidents, the company appears to have struggled to fortify its defenses, leaving its systems vulnerable to repeated attacks.

The Implications of the Breach

The exposure of sensitive user data has far-reaching consequences, both for Zacks and its customers. Here are some of the key implications:

User Privacy at Risk: The leaked data, including physical addresses and phone numbers, could be exploited for phishing attacks, identity theft, and other malicious activities.

Financial Fraud: With access to email addresses and unsalted password hashes, cybercriminals could attempt to crack passwords and gain unauthorized access to user accounts, potentially leading to financial fraud.

Reputational Damage: Repeated breaches erode trust in Zacks’ ability to protect user data, potentially driving customers to seek alternative investment research platforms.

Regulatory Scrutiny: Data breaches often attract the attention of regulatory bodies, which may impose fines or other penalties for failing to safeguard user information.

What Can Affected Users Do?

If you are a Zacks user, it is crucial to take immediate steps to protect your accounts and personal information:

Change Your Password: If you use the same password across multiple accounts, change it immediately. Use a strong, unique password for each account.

Enable Two-Factor Authentication (2FA): Wherever possible, enable 2FA to add an extra layer of security to your accounts.

Monitor Your Accounts: Keep a close eye on your financial accounts and credit reports for any suspicious activity.

Beware of Phishing Attempts: Be cautious of emails or messages claiming to be from Zacks, as cybercriminals may use stolen data to launch phishing campaigns.

Check Have I Been Pwned: Visit Have I Been Pwned to check if your email address was included in the breach.

Lessons for Organizations

The Zacks breach serves as a stark reminder of the importance of robust cybersecurity measures. Organizations, especially those handling sensitive financial data, must prioritize the following:

Regular Security Audits: Conduct frequent assessments to identify and address vulnerabilities in IT systems.

Data Encryption: Ensure that sensitive data, including passwords, is encrypted using strong, salted hashing algorithms.

Incident Response Planning: Develop and implement a comprehensive incident response plan to minimize the impact of breaches.

User Education: Educate users about cybersecurity best practices, such as creating strong passwords and recognizing phishing attempts.

Transparency: In the event of a breach, communicate openly with affected users and provide clear guidance on protective measures.

Conclusion

The data breach affecting 12 million Zacks Investment Research users is a sobering reminder of the persistent threat posed by cybercriminals. As organizations increasingly rely on digital systems to manage sensitive information, the need for robust cybersecurity measures has never been greater. For users, vigilance and proactive steps are essential to mitigate the risks associated with such breaches. By learning from incidents like this, both organizations and individuals can better prepare for the challenges of an increasingly interconnected world.