Online investment research: Data from millions of Zacks users leaked

Zacks has apparently suffered another IT security incident in which attackers gained access to customer data: A data package containing 12 million entries on Zacks users was published in an underground forum. Data packages resulting from cyberattacks are regularly offered for sale in the forum.

Zacks is an online tool for visualizing the development of share prices, among other things. The data leak was reported by security researchers from Malwarebytes. According to the report, the data package originated from a cyberattack in June 2024. Among other things, it contains database entries and source code from the Zacks website and other internal company pages.

Password leak

The researchers also found entries with personal data from 12 million Zacks customers. This includes email addresses, names and telephone numbers. The entries are also said to contain protected passwords (unsalted SHA-256 hash). This means that criminals cannot easily do anything with them.

As proof, the leaker with the pseudonym Jurak has published excerpts from the archive. Security researchers currently assume that the data is genuine. He states that he was able to gain access to the Zacks Active Directory as a domain admin. It is not yet clear how the attack took place. You can check whether you have been affected by the data leak on the Have I Been Pnwed website.

Not the first cyberattack

So far, there has been no official statement from Zacks about this incident. This is not the first data leak to affect Zacks: personal data from around 8.6 million accounts was published back in 2023. In October 2024, there was another leak with around 8,000 entries.

(des)