Listen to this Post
A prominent stock research and analysis company, Zacks Investment Research, has fallen victim to a significant data breach for the third time in just four years. The breach, which exposed sensitive data from 12 million accounts, was reported on BreachForums at the end of January 2025. The leak, which reportedly occurred in June 2024, has raised serious concerns about the company’s cybersecurity practices. This breach includes a vast array of personal information such as email addresses, phone numbers, physical addresses, and unsalted password hashes. With such data now circulating on the dark web, experts are also warning of potential future risks, including the exploitation of the company’s source code.
Summary
Zacks Investment Research, a major firm in stock analysis, suffered a data breach in June 2024, impacting 12 million accounts. This leak, discovered in January 2025, includes a range of personal information: names, emails, physical addresses, usernames, phone numbers, and unsalted SHA-256 password hashes. Alongside this, sensitive source code from the company has also been compromised, potentially enabling further exploitation of vulnerabilities. This breach marks the third such incident in just four years, with previous breaches occurring in 2021-2022 and 2023, compromising a combined total of over 9 million accounts. Despite these repeated attacks, Zacks Investment Research has not publicly addressed the breach, raising concerns about the company’s cybersecurity preparedness and transparency. Experts emphasize the need for stronger security measures, particularly for financial services firms.
What Undercode Says:
This breach is not an isolated incident for Zacks Investment Research, and its recurring nature underlines a critical failure in cybersecurity practices. The company’s repeated exposure to attacks suggests that fundamental security measures are either insufficient or improperly implemented. While many industries face cyber risks, financial services are particularly attractive targets due to the sensitive nature of the data they manage.
One of the most alarming aspects of this breach is the unsalted SHA-256 password hashes. While SHA-256 is considered a secure hashing algorithm, the lack of salt – a random value added to the hash to protect against rainbow table attacks – makes these passwords vulnerable to decryption. This opens the door for attackers to easily compromise user accounts if they manage to obtain the hashed passwords.
The inclusion of source code in the breach further exacerbates the problem. Exposing proprietary software or code can lead to the identification of security vulnerabilities that were previously unknown or unaddressed. The malicious actor offering this source code for sale with an invitation to “reputable” buyers points to the possibility of further breaches, potentially leveraging the newly discovered vulnerabilities.
Zacks Investment Research’s response to the breach, or lack thereof, is also concerning. The company has reportedly failed to respond to multiple inquiries regarding the incident, which raises questions about their commitment to transparency and accountability. A proactive response is crucial in the event of a data breach, as failure to communicate can exacerbate reputational damage and alienate clients who may lose confidence in the company’s ability to safeguard their data.
The repeated nature of these breaches also highlights a critical gap in the company’s security awareness and training programs. Dray Agha from Huntress points out the importance of continuous, robust security training, especially in recognizing phishing and social engineering tactics. If Zacks had implemented a more comprehensive training program, employees may have been more equipped to prevent the breach or at least mitigate the damage.
Furthermore, Jawahar Sivasankaran from Cyware suggests that financial services firms, such as Zacks, would benefit from joining industry groups like the Financial Services Information Sharing and Analysis Center (ISAC). These organizations provide valuable resources on emerging risks, like generative AI, and offer insights on threat intelligence management. Participating in such groups would allow Zacks to be more proactive in addressing the threats they face, enhancing their overall security posture and response strategies.
In conclusion, this breach is a stark reminder of the persistent and evolving risks in the cybersecurity landscape. Zacks Investment Research’s failure to learn from previous incidents and implement stronger defenses only increases the vulnerability of its clients’ sensitive data. It is clear that more needs to be done to secure their digital infrastructure, implement effective response strategies, and foster a culture of security awareness. Until these issues are addressed, further breaches seem almost inevitable.
References:
Reported By: https://www.infosecurity-magazine.com/news/zacks-investment-research-breach/
https://www.stackexchange.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
