A cybersecurity incident at Zacks Investment Research has exposed sensitive data belonging to 12 million users, marking the second major breach for the financial services firm since 2022.
The compromised information includes email addresses, phone numbers, names, IP addresses, physical addresses, and weakly protected password hashes, raising concerns about identity theft and credential-stuffing attacks.
Breach Scope and Compromised Data
The breach – Posted by a cybersecurity Firm, Have I Been Pwned in X Platform.
New breach: Zacks allegedly had 12M email addresses breached last year in a separate incident to their 2022 breach. Date included name, IP and physical address, phone and unsalted SHA-256 password hash. 93% were already in @haveibeenpwned. Read more: https://t.co/J67RqsI1m2
— Have I Been Pwned (@haveibeenpwned) February 12, 2025
.png
)
Attackers accessed unsalted SHA-256 password hashes, a cryptographic method experts consider inadequate for modern security standards.
Unlike salted hashes, which add random data to passwords before encryption, unsalted hashes enable attackers to use precomputed “rainbow tables” to crack credentials efficiently through brute-force methods.
Physical addresses and IP addresses were also leaked, creating compound risks for victims.
As Hunt noted: “The combination of residential addresses and device identifiers could facilitate highly targeted phishing campaigns or physical security threats”.
Notably, 93% of affected email addresses already appeared in prior breach databases, indicating many users failed to update credentials after previous incidents.
Zacks’ Response and Historical Context
Zacks has not yet released an official breach notification, though independent analysts have verified the dataset’s authenticity through cross-referencing with known customer records.
This incident follows a 2022 breach where hackers compromised 820,000 accounts, suggesting systemic vulnerabilities in the company’s data protection frameworks.
The repetition of similar attack vectors – particularly the continued use of outdated hashing protocols – has drawn criticism from cybersecurity professionals.
John Opdenakker, a penetration tester, stated: “Financial institutions handling sensitive investor data have no excuse for using unsalted hashes in 2024. This represents a fundamental failure in implementing basic security hygiene”.
Risks to Affected Users
Victims face multifaceted threats:
- Credential-Stuffing Attacks: Cybercriminals often test leaked email/password combinations across banking platforms and investment services
- Sextortion Scams: Leaked phone numbers and physical addresses enable personalized extortion attempts
- Identity Theft: Complete personal profiles allow fraudsters to bypass know-your-customer (KYC) checks at financial institutions
The breach may trigger investigations under the FTC’s Safeguards Rule, which mandates rigorous data protection standards for financial institutions.
Potential fines could reach $50,120 per violation under updated FTC penalty guidelines.
As digital transformation accelerates across financial services, this breach underscores the critical need for proactive cybersecurity investments.
Until companies prioritize modern encryption and real-time threat monitoring, consumers remain vulnerable to evolving attack methodologies.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
