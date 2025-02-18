A leading stock research and analysis firm appears to have been breached for the third time in just four years, with details from 12 million accounts published on the dark web.

Published on BreachForums at the end of last month by a user with the moniker “Jurak,” the trove dates from an incident in June 2024, according to breach notification site, HaveIBeenPwned.

“The 2024 breach included 12 million unique email addresses along with IP and physical addresses, names, usernames, phone numbers and unsalted SHA-256 password hashes. Zacks did not respond to multiple attempts to contact them about the incident,” it explained.

The breach also included source code from the company, although “specifics on the repository remain undisclosed,” according to threat intelligence experts Dark Web Informer.

“The threat actor invites interested buyers with high reputation scores to contact them for the source code,” it noted, warning that such a leak could lead to the exploitation of further vulnerabilities in the company’s digital infrastructure.

Dark Web Informer also warned of the potential for the breach to cause significant reputational damage to the company among clients, alongside possible violations of SEC regulations and data privacy laws.

However, this isn’t the first time that Zacks Investment Research has suffered such an incident. Back in January 2023 it was confirmed that a threat actor compromised data on 820,000 customers between 2021 and 2022.

Then just months after that incident, it was revealed that another breach compromised the email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers and full names of 8.8 million customers.

HaveIBeenPwned explained in a post on X (formerly Twitter) that 93% of the data in the ‘new’ breach was already in its repository.