Security researchers have discovered a breach at Zacks Investment Research dating all the way back to 2020, which appears to have impacted millions of customers.
The stock research and analysis firm has so far made no public disclosure about the incident. However, a post on breach site HaveIBeenPwned revealed that a trove of data numbering nearly nine million customers is being widely shared on a popular hacking forum.
“The most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes,” the note explained.
“On disclosure of the larger breach, Zacks advised that in addition to their original report ‘the unauthorized third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format.’”
The publication of the data means that customers should expect follow-on phishing and other attacks.
In January the firm revealed a breach of data on an estimated 820,000 customers, which it said occurred “sometime between November 2021 and August 2022.”
This particular incident involved a legacy database of customers who signed up for the Zacks Elite product between November 1999 and February 2005, the firm said at the time.
“The specific information we believe to have been accessed is your name, address, phone number, email address, and password used for Zacks.com,” it added in a breach notification.
“We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed.”
Customers will no doubt be concerned at not only the size of the newly disclosed breach but the fact that it remained undetected for so long.