Hacker claims they stole 12m customer accounts from Zacks Investment Research

A threat actor has claimed that they infiltrated the internal network of Zacks Investment Research and stole the sensitive personal information of about 12 million customers.

 

Zacks is a leading American investment research firm on stock research, analysis, and recommendations and provides its customers data-driven insights to help them make informed financial decisions.

 

Recently, a threat actor using the moniker “Jurak” claimed to have breached into the network of Zacks and stole confidential data and sensitive customer information. In a post on a dark web forum, the threat actor claimed to be in possession of names, usernames, email addresses, physical addresses, phone numbers, usernames and passwords of 12 million accounts.

 

The hacker has offered to sell the entire database to interested buyers who can meet the quoted price. Also, it has offered to sell source code to buyers with “high reputation”.

 

In a statement shared with BleepingComputer, the hacker said they gained access to the company’s active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach.

 

The database was added to the "Have I Been Pwned" repository which confirmed that the file included 12 million unique email addresses, along with IP addresses, names, passwords in the form of unsalted SHA-256 hashes, phone numbers, physical addresses, and usernames. Zacks is yet to comment on the claims of the threat actor.

 

In 2023, the investment firm disclosed another data security incident that compromised the sensitive personal information of 820,000 individuals.

 

According to a filing with the Maine state regulator, threat actors had unauthorised access to the company’s internal network between November 2021 and August 2022. The compromised data included names, addresses, phone numbers, email addresses, and passwords for Zacks[.]com customer accounts.