Zacks Investment Research, a prominent American financial insights company, has reportedly experienced its third major data breach in four years. The incident, which occurred in June 2024, potentially exposed sensitive information of approximately 12 million customer accounts.

The breach came to light when a threat actor posted data samples on a hacker forum in January, offering the information for sale in exchange for cryptocurrency. The exposed data includes:
– Full names
– Usernames
– Email addresses
– Physical addresses
– Phone numbers
– Passwords (unsalted SHA-256 hashes)
– IP addresses

The threat actor claims to have gained domain admin access to Zacks’ active directory and stolen source code from Zacks.com and 16 other affiliated websites. Have I Been Pwned (HIBP) has verified the breach, noting that 93% of the compromised email addresses were previously exposed in other incidents.

This follows two earlier breaches at Zacks:
– January 2023: 820,000 customers affected (November 2021 – August 2022)
– May 2020: 8.8 million users impacted

While Zacks has not officially confirmed this latest incident, HIBP has validated the authenticity of the leaked database. The company’s silence on the matter raises concerns about their cybersecurity measures and incident response protocols.