A cybercriminal claimed to have stolen 15 million data records from the customers and clients of the company Zacks—a number that a separate investigation, after analysis, shaved down to just 12 million.

Zacks is an investment research company best known for its “Zacks Ranks,” which are daily lists that provide stock market watchers and likely investors with possible company portfolio purchases, ranked on a scale from one to five.

Over the years Zacks has suffered a few data breaches. In 2023, data allegedly belonging to Zacks containing 8,615,098 records was leaked online. The most recent data in this database is from May 2020. The data contains names, email addresses, usernames, passwords, phone numbers, addresses, company names, and additional personal information. This leak is being publicly shared on online forums.

In October 2024, we found data reported to belong to Zacks containing 8,441 records which includes email addresses, physical addresses, phone numbers, and full names, and potentially other compromised user details. This breach is also being publicly shared on the internet.

Now, a cybercriminal using the monicker Jurak, leaked sensitive information related to roughly 12 million accounts, which allegedly stems from a breach that happened last year.

“In June 2024, Zacks Investment Research suffered a data breach exposing their source code and their databases containing 15M lines of their customers and clients. This would be the 2nd (hacked back in 2020) major data breach for Zacks.

The data leaked in this thread contains usernames, emails, addresses, full names, phone numbers.

I thought about releasing the source code, but I don’t want every retard to have access to it. If you have high reputation and want the source code send a PM

Breached by @Jurak and @StableFish

Below is a sample of the customers database:

CLUE , HINT , PASSWORD , USERNAME , LAST_NAME , FIRST_NAME , CUSTOMER_ID , DATE_REGISTERED , DATE_UPDATED , DISPLAY_NAME , FIRM_NAME , TIMEZONE_CODE , LAST_PASSWORD_CHANGE”

BleepingComputer says it has reached out to Zacks on several occasions but didn’t get a response. As with other recent claims by criminals on BreachForums we have to be careful to take their word for anything, but Jurak claims they breached Zacks themselves in June 2024.

Jurak told BleepingComputer that they gained access to the company’s active directory as a domain admin and then stole source code for the main site (Zacks.com) and 16 other websites, including some internal websites. They also shared samples of the source code they had stolen as proof of the new breach.

Protecting yourself after a data breach

Losing data related to a financial account can have severe consequences. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.