[lulagain]

Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts.

Zacks is an American investment research company  that provides its customers data-driven insights through a proprietary stock performance assessment tool called ‘Zacks Rank’, to help with making informed financial decisions.

In late January, a threat actor published data samples on a hacker forum, claiming a breach at Zacks in June 2024 that exposed data of millions of customers.

The published data, available to forum members in exchange for a small cryptocurrency amount, contains full names, usernames, email addresses, physical addresses, and phone numbers.

@Jurak  

bleepingComputer contacted Zacks multiple times to ask about the authenticity of the data, but we have not heard back.

However, the threat actor told BleepingComputer that they gained access to the company's active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach.

Earlier today, the leaked Zacks database was added to Have I Been Pwned, a website where users can check if their personal data has been compromised.

HIBP confirmed that the file included 12 million unique email addresses, along with IP addresses, names, passwords in the form of unsalted SHA-256 hashes, phone numbers, physical addresses, and usernames.

However, the service also notes that roughly 93% of the leaked email addresses were already in its database from past breaches of the same platform or other services.

No official confirmation