In a significant cybersecurity incident, Zacks Investment Research, a prominent American investment firm, experienced a data breach that compromised the personal information of approximately 12 million customers. The breach, which occurred in June 2024 but was publicly disclosed in late January 2025, underscores the escalating threats facing the financial sector.

Details of the Breach

A cybercriminal known as “Jurak” claimed responsibility for infiltrating Zacks’ systems, asserting that they had gained domain administrator privileges to the company’s active directory. This level of access allowed the attacker to exfiltrate source code for Zacks.com and 16 other websites, internal tools, and extensive user account data. The stolen information was subsequently advertised for sale on hacker forums, with samples offered for cryptocurrency payments to verify authenticity.

Compromised Data

The breach exposed a range of sensitive customer information, including:

  • Email addresses: Approximately 12 million unique addresses were compromised.
  • Personal details: Names, physical addresses, phone numbers, and usernames.
  • Security credentials: Unsalted SHA-256 hashed passwords, which are considered outdated and less secure.

Alarmingly, 93% of the leaked email addresses had been exposed in previous breaches, heightening the risk of credential stuffing attacks where attackers use known email-password combinations to gain unauthorized access to accounts.

Zacks’ Response and Security Implications

Despite the severity of the breach, Zacks Investment Research had not released an official statement as of February 2025. This lack of transparency is concerning, especially given the potential risks to affected customers. The use of unsalted SHA-256 hashes for passwords indicates outdated security practices, making it easier for attackers to crack passwords and compromise accounts.

Recommendations for Affected Customers

Individuals impacted by this breach should take immediate steps to protect their personal information:

  1. Monitor for phishing attempts: Be vigilant about unsolicited communications that may attempt to extract additional personal or financial information.
  2. Use strong, unique passwords: Avoid reusing passwords across multiple platforms and consider using a reputable password manager to generate and store complex passwords.
  3. Enable two-factor authentication (2FA): Adding an extra layer of security can prevent unauthorized access even if credentials are compromised.
  4. Stay informed: Regularly check for updates from Zacks and other financial institutions to stay aware of any new developments or recommended actions.

This incident highlights the critical need for comprehensive security awareness training within organizations. Such training ensures that employees at all levels understand the importance of cybersecurity protocols and are equipped to recognize and respond to potential threats. Key components of effective security awareness training include:​

  • Recognizing phishing attempts: Educating employees on how to identify and avoid malicious emails or messages.
  • Implementing strong password policies: Encouraging the creation of complex passwords and the use of password managers.
  • Understanding data protection protocols: Ensuring that employees handle sensitive information in compliance with organizational and regulatory standards.
  • Regular training sessions: Keeping cybersecurity knowledge current through ongoing education and simulated attack exercises.

By prioritizing security awareness training, organizations can significantly reduce the risk of data breaches, protect their reputation, and maintain customer trust in an increasingly digital landscape.

Full Story: https://www.foxnews.com/tech/investment-research-data-breach-exposes-12-million-customers