If there is one sector that has outdone healthcare in data breaches and ransomware attacks, it is finance.
Security incidents affecting financial institutions are becoming increasingly common, whether they involve banks, fintech companies or investment research firms.
The latest case involves Zacks, an American investment research company. A cybercriminal claimed to have stolen 15 million customer and client records, but a separate investigation later confirmed the actual number to be 12 million.
STAY PROTECTED & INFORMED! GET SECURITY ALERTS & EXPERT TECH TIPS — SIGN UP FOR KURT’S THE CYBERGUY REPORT NOW
What you need to know
The Zacks Investment breach first came to light in late January 2025 when a hacker known as “Jurak” claimed on BreachForums that they had gained access to Zacks’ systems as early as June 2024.
According to the hacker, they obtained domain administrator privileges for Zacks’ active directory, a critical network security component, allowing them to steal source code for Zacks.com and 16 other websites, including internal tools, along with user account data. The stolen information was then put up for sale on hacker forums, with samples offered for a small cryptocurrency payment to prove authenticity, as reported by BleepingComputer.
Further investigation confirmed the breach occurred in June 2024, exposing 12 million unique email addresses and other personal data. The fact that the attacker managed to gain domain admin access suggests a highly sophisticated attack, potentially exploiting vulnerabilities in Zacks’ network security.
This is not the first time Zacks has suffered a breach. Previous incidents include a 2022 attack that compromised an older Zacks Elite product database from 1999 to 2005, as noted on Zacks’ own breach disclosure page.
THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION
What data got compromised
The Zacks Investment data breach, confirmed by Have I Been Pwned (HIBP), exposed a range of sensitive user information, putting those affected at risk. The leaked data includes email addresses, IP addresses, names, phone numbers, physical addresses, usernames, and unsalted SHA-256 hashed passwords.
This kind of information can be misused for phishing, identity theft, credential stuffing, harassment, SIM swapping and even physical threats. Alarmingly, 93% of the leaked email addresses had already been exposed in previous breaches, making reused passwords an even bigger problem. The use of unsalted SHA-256 hashes — widely considered outdated — only adds to the risk, making it easier for attackers to crack passwords and compromise accounts.
Despite the severity of the breach, Zacks Investment Research has yet to release an official statement as of February 2025. The lack of transparency is troubling, especially considering the scale of the breach and Zacks’ history with security incidents.
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
FROM TIKTOK TO TROUBLE: HOW YOUR ONLINE DATA CAN BE WEAPONIZED AGAINST YOU
7 ways you can protect yourself after a data breach like this
1. Beware of phishing attempts and use strong antivirus software: After a data breach, scammers often use the stolen data to craft convincing phishing messages. These can come via email, text or phone calls, pretending to be from trusted companies. Be extra cautious about unsolicited messages with links asking for personal or financial details, even if they reference recent orders or transactions. The best way to safeguard yourself from malicious links is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices.
2. Invest in identity theft protection: Given the exposure of personal data, such as names, addresses and order details, investing in identity theft protection services can provide an extra layer of security. These services monitor your financial accounts and credit report for any signs of fraudulent activity, alerting you to potential identity theft early on. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. See my tips and best picks on how to protect yourself from identity theft.
3. Enable two-factor authentication (2FA) on accounts: Enabling two-factor authentication adds an extra layer of security to your online accounts. Even if hackers get hold of your login credentials, they won’t be able to access your accounts without the second verification step, such as a code sent to your phone or email. This simple step can significantly reduce the risk of unauthorized access to sensitive personal information.
4. Update your passwords: Change passwords for any accounts that may have been affected by the breach, and use unique, strong passwords for each account. Consider using a password manager. Get more details about my best expert-reviewed Password Managers of 2025 here.
5. Remove your personal data from public databases: If your personal data was exposed in this breach, it’s crucial to act quickly to reduce your risk of identity theft and scams. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap — and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here.
MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC
Kurt’s key takeaways
The Zacks Investment breach highlights just how real the threat of cyberattacks is for financial institutions. With millions of users affected and personal data exposed, the risks of scams and identity theft are higher than ever. The fact that Zacks hasn’t said much about the breach only adds to the uncertainty for those impacted. As these types of attacks become more common, it’s more important than ever to stay on top of your online security — use unique passwords, keep an eye on your accounts, and stay alert for any signs of suspicious activity.
Should there be stricter regulations for how companies disclose breaches and protect customer data? Let us know by writing us at Cyberguy.com/Contact
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved.
Read the full article here
