A hacking forum has exposed a database containing the personal data of over 8.8 million users of Zacks Investment Research, surpassing the company’s initial data breach reported in January 2023. The database, as confirmed by data breach notification service Have I Been Pwned, includes names, addresses, phone numbers, email addresses, usernames, and unsalted SHA-256 hash passwords.
Troy Hunt, maintainer of Have I Been Pwned, contacted Zacks regarding the larger breach, to which the company claimed the attackers only accessed encrypted passwords. The database appeared on the hacking forum on June 10, 2023, revealing records dating back to May 2020. This suggests that Zacks may not have been aware of the extent of the breach during its initial disclosure in January 2023, which affected around 820,000 users.
Zacks claimed that customer credit card details and other financial data were not compromised in the previously reported incident, and that it had reset the affected account passwords. However, users whose information appeared in the newly discovered database might now be at risk of phishing and other types of attacks.