Zacks Investment Research, a prominent financial services firm, has once again found itself at the center of a cybersecurity incident that has put the sensitive data of 12 million users at risk. This breach, the second major one for the company since 2022, has raised concerns about identity theft and credential-stuffing attacks due to the exposure of email addresses, phone numbers, names, IP addresses, physical addresses, and weakly protected password hashes.
The scope of the breach was brought to light by a cybersecurity firm, Have I Been Pwned, which revealed that attackers were able to access unsalted SHA-256 password hashes. This cryptographic method, considered inadequate by security experts, allowed the hackers to potentially crack credentials through brute-force methods efficiently. The leaked data also included physical addresses and IP addresses, creating additional risks for the affected individuals.
Notably, the breach exposed the fact that 93% of the impacted email addresses were already present in prior breach databases, indicating a failure on the part of users to update their credentials following past incidents. This lack of diligence by users has further exacerbated the risks posed by the breach.
Zacks has yet to issue an official breach notification, but independent analysts have confirmed the authenticity of the dataset by cross-referencing it with known customer records. This latest breach comes on the heels of a similar incident in 2022, where hackers compromised 820,000 accounts, pointing to systemic vulnerabilities in the company’s data protection mechanisms.
The use of outdated hashing protocols in both breaches has drawn criticism from cybersecurity professionals, with some experts calling it a fundamental failure in implementing basic security measures. John Opdenakker, a penetration tester, highlighted the lack of excuse for using unsalted hashes in 2024, especially for financial institutions handling sensitive investor data.
Affected users now face a variety of threats, including credential-stuffing attacks, sextortion scams leveraging leaked phone numbers and physical addresses, and potential identity theft facilitated by complete personal profiles. The breach could also lead to investigations under the FTC’s Safeguards Rule, which mandates stringent data protection standards for financial institutions. Fines for violations could reach up to $50,120 per offense under updated FTC penalty guidelines.
As the financial services industry undergoes rapid digital transformation, this breach serves as a stark reminder of the urgent need for proactive cybersecurity measures. Without modern encryption protocols and real-time threat monitoring, consumers will remain vulnerable to evolving cyber threats. It is imperative for companies like Zacks to prioritize cybersecurity investments to safeguard their customers’ sensitive information and prevent future breaches.