A data breach at Zacks that was originally disclosed early this year may have been much worse than originally reported. The investment research firm appears to have lost the data of many more customers, over 10 times as many according to new information published on June 12, though it remains unclear if the new information comes from an entirely separate breach.
The first disclosed data breach took place between November 2021 and August 2022, and a notification on January 25 of this year indicated that 820,000 customers were impacted. That number has now been revised to 8.8 million, and the data has been shared publicly on an underground hacking forum. Both Zacks and the security researchers that uncovered the new breach say that customer financial data was not impacted, but the leak does contain unsalted SHA256 passwords.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, notes that there appears to have been no awareness of the larger data breach at the investment research firm prior to its appearance in the criminal underground: “It’s never a good sign when a breached database is posted on hacker forums before the owners disclose the breach to users. That usually means the owner was either not aware of the breach or they intentionally hid it, neither of which is a good look. Zacks customers should be on the lookout for targeted phishing messages from scammers posing as Zacks or a related company. Scammers may use personal information from the breached database to make their messages more convincing. Never click on links or attachments in unsolicited emails!”
Investment research firm’s recent breach window much bigger than previously known
Founded in 1978, Zacks is one of the leading quantitative investment research firms. The company’s initial data breach notification stated that “sensitive” information for about 820,000 customers had been accessed during the breach window, but that it was limited to those that had subscribed to the company’s “Zacks Elite” product between November 1999 and February 2005.
The type of personal data that was stolen has not been revised by the new data breach information. The investment research firm had previously said that the stolen data mostly consisted of basic contact information: full names, addresses, phone numbers and email addresses. The most concerning element was the presence of what the company called “old passwords.” A password reset was issued for impact accounts, and the breach blended in with bigger cybersecurity news.
A recent update from Have I Been Pwned revealed that the collection of information was much larger than initially estimated, however. The popular data breach notification site posted a notice indicating it had populated its database with some 8.8 million records from the leak. This new collection of information has a very similar scope, but security researchers think that it may have been dumped in May 2020, well before the estimated start date of the prior breach.
The primary item of concern is the unsalted SHA256 passwords. These are encrypted (hashed), but it is an outdated format that was never considered particularly strong in its prime. In this state, interested hackers will likely be able to crack them with simple “brute force” techniques and impacted parties should assume that the passwords are compromised.
Data breach information available on popular “black hat” forum, possibly in circulation for years
The investment research firm’s data was found on “Exposed,” an up-and-coming hacker board that has been in the news lately for leaking the user data of a previous titan of the dark web forum scene. The attackers appear to have made the contents of the data breach available to the general public, meaning that it is imperative that anyone with potentially impacted login credentials (such as a shared password between multiple accounts) make updates to protect their security immediately.
The data breach is also in keeping with a general pattern that has emerged in recent years: initial breach notifications downplay or underestimate the amount or quality of exposed data, only to be revised months later to indicate that many more customers had been at risk the entire time without being aware of it. The investment research firm’s misfortune roughly tracks with the current poster child for this sort of long-term breach revision: LastPass. The popular password manager first announced a data breach in August 2022, revised it to include encrypted passwords in December 2022, and thus far the known scope has continued to expand throughout 2023.
Customers would no doubt like to know more about the investment research firm’s larger breach, but details are still thin at this time. The “Zacks Elite” product known to be compromised was split up some time ago into the current “Zacks Premium” and “Zacks Ultimate” subscription packages, but the company also offers a number of other tools and paid products. It also does not publicly share subscriber numbers, so there is not much upon which to make an educated guess as to other specific product lists that may have been compromised.
And as Ani Chaudhuri (CEO of Dasera) observes, the fact that the identity of the threat actor and the means of the data breach is still up in the air does not help the situation: “The recent data breach at Zacks Investment Research is profoundly concerning and highlights data security’s complex and ever-evolving nature.”
“The details of the Zacks breach have not been disclosed. Determining the specific cause of a breach often requires a thorough investigation by cybersecurity experts and forensic analysis of the affected systems,” added Chaudhuri. “The implications of this breach are significant, as threat actors may exploit the leaked data for malicious purposes such as phishing or credential-stuffing attacks. All Zack users must immediately change their passwords to unique ones. Furthermore, if you use the same password at other sites, it is essential to update those passwords to ensure your accounts remain secure. This incident underscores the need for a collaborative approach to data security. Organizations, industry leaders, and individuals must work together to strengthen security measures, implement robust safeguards, and stay vigilant against evolving threats. Protecting sensitive data requires continuous efforts and a shared commitment to safeguarding customer trust.”