Zacks Investment Research confirmed a major data breach in which encrypted passwords were stolen from an unspecified number of customers. The breach, linked to a previous hack, was exposed by the breach notification site Have I Been Pwned? (HIBP). It was reported that data connected to almost 9 million Zacks.com customers is circulating on a hacking forum. The exposed data includes names, usernames, email and physical addresses, phone numbers, and unsalted SHA-256 hashed passwords. The exact number of impacted customers remains unclear. However, Zacks affirmed that there is no indication that customer credit card or other financial information was accessed.
The scope of the breach is estimated at 8.9 million and the compromised data dates back to May 2020. According to HIBP, a previous data breach in December 2022 impacted 820k customers and by June 2023, data related to nearly 9M customers was being widely circulated on a hacking forum.
Zacks has pledged to take steps to enhance password security and regrets any inconvenience to its customers. The stolen data comprised passwords stored as unsalted with SHA-256 hashes. While this method of data protection meets industry standards, the Zacks breach illustrates its potential vulnerability, especially since the passwords were not salted but hashed, making them susceptible to sophisticated bypass techniques used by hackers.
Source: www.scmagazine.com
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.