If there is a department that surpasses Healthcare in data breaches and ransomware attacks, which are finances.
Security incidents affecting financial institutions are becoming increasingly common, whether it is banks, fintech companies or investment research companies.
The latest case involves the US investment research firm Zacks. Cyber criminals claim 15 million customers and customer records were stolen, but another investigation later confirmed that the actual number was 12 million.
Illustration of hacker at work. (Kurt “Cyberguy” Knutsson)
What you need to know
The Zacks investment violation was first revealed in late January 2025 when a hacker known as “Jurak” claimed to be a violation of the bill and they had access to Zacks’ systems as early as June 2024.
According to the hackers, they gained Zacks’ Active Directory, a domain administrator privilege for a critical cybersecurity component, allowing them to steal Zacks.com’s source code and 16 other websites, including internal tools, as well as user account data. The stolen information is then sold on the hacking forum and a sample of small cryptocurrency payments are provided for proof of authenticity. BleepingComputer.
Further investigation confirmed that the violation occurred in June 2024, revealing 12 million unique email addresses and other personal data. The fact that attackers manage to gain domain management access suggests that highly complex attacks can exploit vulnerabilities in Zacks’ network security.
This is not the first time Zacks Has suffered a violation. Previous incidents include the 2022 attack that damaged the older Zacks Elite product database from 1999 to 2005, as described in Zacks’ own violation disclosure page.
Threatening actor’s post about Breachforums. (BleepingComputer)
The Hidden Cost of Free Applications: Your Personal Information
Which data have been compromised
The Zacks Investment Data Breach was confirmed by me (HIBP), exposing a range of sensitive user information that puts affected people at risk. Leaked data includes email address, IP address, name, phone number, physical address, username and saltless SHA-256 hashed password.
This information can be misused for phishing, identity theft, credential filling, harassment, SIM card or even physical threats. Shockingly, 93% of leaked email addresses have been exposed in previous violations, making reused passwords a bigger problem. The use of a salt-free SHA-256 hash (broadly considered obsolete) only increases the risk, making it easier for attackers to crack passwords and trade off accounts.
Despite the severity of the violation, Zacks Investment Research has not issued a formal statement as of February 2025. The lack of transparency is disturbing, especially given the scale of defaults and the Zacks history is related to security incidents.
What is artificial intelligence (AI)?
A person scrolling on the phone. (Kurt “Cyberguy” Knutsson)
From tiktok to trouble: How to use your online data weapon against you
7 ways you can protect yourself after such a data breach
1. Beware of phishing and try it out and use powerful antivirus software: After data breaches, scammers often use stolen data to create compelling phishing information. These can be arrived via email, text message or phone call, pretending to be from a trusted company. Even if they refer to recent orders or transactions, be cautious about unsolicited messages. The best way to protect yourself from malicious links is to install powerful antivirus software on all devices. This protection can also remind you about phishing email and ransomware scams, ensuring your personal information and digital assets are secure. The choice of the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
Click here to visit Fox Business
2. Investment Identity Theft Protection: Taking into account the exposure of personal data, such as name, address and order details, investing in identity theft protection services can provide additional security. These services monitor your financial accounts and credit reports for any signs of fraudulent activity, allowing you to alert you about potential identity theft as early as possible. They can also help you freeze your bank and credit card accounts to prevent further unauthorized use by criminals. See my tips and best options to protect yourself from identity theft.
3. Enable two-factor authentication (2FA) on your account: Enable Two-factor authentication Added extra security to your online account. Even if the hacker has mastered your login credentials, they cannot access your account without a second verification step, such as the code sent to your phone or email. This simple step can significantly reduce the risk of unauthorized access to sensitive personal information.
4. Update password: Change the password for any account that may be affected by the vulnerability and use a unique strong password for each account. Consider using Password Manager. Get more details about me Best Expert Review Password Manager for 2025.
5. Delete your personal data from a public database: If your personal data is exposed in this breach, it is crucial to act quickly to reduce the risk of identity theft and scams. While there is no service that guarantees complete deletion of data from the Internet, a data deletion service is indeed a wise choice. They are not cheap – nor are your privacy. These services provide you with all your work by actively monitoring and systematically deleting your personal information from hundreds of websites. This is where I feel at ease and proves to be the most effective way to delete your personal data from the internet. By limiting the available information, you can reduce the risk of cross-references of data from fraudsters in violations and find information on the dark web, making it harder for them to target you. Check out my preferred data deletion service here.
Large-scale security vulnerabilities put the most popular browsers at risk on Mac
Kurt’s key points
Zacks’ investment violates the real threat of cyberattacks to financial institutions. With millions of users’ impact and personal data exposed, the risk of scams and identity theft is higher than ever. Zacks doesn’t say much about violations, which only increases uncertainty among those affected. As these types of attacks become more common, it is more important than ever to master online security (using a unique password, keep a close eye on your account, and stay alert for any suspicious signs of activity).
Click here to get the Fox News app
Are regulations more stringent on how companies disclose violations and protect customer data? Let’s write to us cyberguy.com/contact
For more technical tips and security alerts for me, please subscribe to my free online reporting newsletter cyberguy.com/newsletter
Ask Kurt a question, or let us know what stories you want us to cover.
Follow Kurt on his social channels:
Answers to the most popular web guess questions:
New things from Kurt:
Copyright 2025 CyberGuy.com. all rights reserved.
