Bad news continues to pile up for investment research firm Zacks as new reporting from the Have I Been Pwned website indicates the company was unaware of a massive data breach that began in 2021 and compromised over 8.8 million customer records.
While most of the stolen data appears to be basic contact information, encrypted passwords were also reportedly leaked in a format that is not entirely secure. Though it is still not clear if there is a connection between the two incidents, a data breach disclosed by Zacks earlier this year contained similar stolen information.
Recent Zacks data breach dwarfs previous incident, information was made available on hacker forum
The new data breach is over 10 times larger than the one the investment research firm disclosed in January of this year. The nature of the stolen information would point to a connection, but there is no confirmation of this yet. Zacks appeared to be unaware of the new incident until the information was made public via Have I Been Pwned on June 12, which added the stolen information to its database to allow potential victims to check on compromise of their credentials.
Though this data breach is newer to public knowledge, it looks to have taken place prior to the previously disclosed one. The roughly 8.8 million records appear to have been dumped in May 2020, with the window of the investment research firm’s previously disclosed breach running from November 2021 to August 2022. To make things slightly more complicated, the previously disclosed breach (of 820,000 records) consisted of information gathered between 1999 and 2005; the time window of customer records for the larger breach is still unclear.
All of this is likely leaving Zacks customers confused and dismayed, but there is one simple fact to focus on: unsalted passwords were leaked in both cases, and the SHA256 format they were encrypted in is not nearly as strong as one would like to see for logins guarding potentially sensitive financial information. Attackers may well now use brute force techniques to crack these passwords (and likely have been working on this already), so any re-use of them should be tracked down and immediately eliminated.
Clients of the investment research firm should also expect phishing and scam attempts directed to (and making use of) the contact information that was leaked in the data breach.
Use of investment research firm’s stolen data unknown prior to public dump
The fact that this much stolen data was made public on a forum should also be concerning, as that (combined with the estimated breach period) indicates that the threat actor has already been making use of it for some time and considers it to be of little further value.
It also remains unknown exactly what component of the investment research firm was compromised. The prior disclosed breach from January indicated that the stolen records were limited to customers of the “Zacks Elite” subscription product, something that was deprecated years ago. In addition to knowing exactly what was compromised, customers would no doubt like to know who the threat actor was and what they might have been doing with the data since 2020.