If there is one sector that has outdone healthcare in data breaches and ransomware attacks, it is finance. Security incidents affecting financial institutions are becoming increasingly common, whether they involve banks, fintech companies, or investment research firms. The latest case involves Zacks, an American investment research company. Zacks Investment Research is a financial services company that provides stock research, analysis, and recommendations to its customers. Users typically sign up for Zacks’ services and provide their personal information voluntarily when creating accounts or subscribing to products. A cybercriminal claimed to have stolen 15 million customer and client records, but a separate investigation later confirmed the actual number to be 12 million.
What you need to know
The Zacks Investment breach first came to light in late January 2025 when a hacker known as “Jurak” claimed on BreachForums that they had gained access to Zacks’ systems as early as June 2024.
According to the hacker, they obtained domain administrator privileges for Zacks’ active directory, a critical network security component, allowing them to steal source code for Zacks.com and 16 other websites, including internal tools, along with user account data.
Unfortunately, the specific identities of the 16 other websites affected by the breach have not been disclosed. The hacker claimed to have accessed the source code for Zacks.com and 16 other websites, including some internal ones, but did not provide further details. The stolen information was then put up for sale on hacker forums, with samples offered for a small cryptocurrency payment to prove authenticity, as reported by BleepingComputer.
Even if you haven’t directly given information to Zacks, there’s a possibility that your data could have been exposed through one of the undisclosed websites or through a partner company that shares data with Zacks.
Further investigation confirmed the breach occurred in June 2024, exposing 12 million unique email addresses and other personal data. The fact that the attacker managed to gain domain admin access suggests a highly sophisticated attack, potentially exploiting vulnerabilities in Zacks’ network security.
This is not the first time Zacks has suffered a breach. Previous incidents include a 2022 attack that compromised an older Zacks Elite product database from 1999 to 2005, as noted on Zacks’ own breach disclosure page.
BleepingComputer
THE HIDDEN COSTS OF FREE APPS: YOUR PERSONAL INFORMATION
What data got compromised
The Zacks Investment data breach, confirmed by Have I Been Pwned (HIBP), exposed a range of sensitive user information, putting those affected at risk. The leaked data includes email addresses, IP addresses, names, phone numbers, physical addresses, usernames, and unsalted SHA-256 hashed passwords.
This kind of information can be misused for phishing, identity theft, credential stuffing, harassment, SIM swapping, and even physical threats. Alarmingly, 93% of the leaked email addresses had already been exposed in previous breaches, making reused passwords an even bigger problem. The use of unsalted SHA-256 hashes—widely considered outdated—only adds to the risk, making it easier for attackers to crack passwords and compromise accounts.
Despite the severity of the breach, Zacks Investment Research has yet to release an official statement as of February 2025. The lack of transparency is troubling, especially considering the scale of the breach and Zacks’ history with security incidents.
FROM TIKTOK TO TROUBLE: HOW YOUR ONLINE DATA CAN BE WEAPONIZED AGAINST YOU
A Texas mom says she spent the night in jail after speaking up online about dirty water in her town. The case was later dropped, but her story raises a troubling question: could something you post online ever put you at risk?
Join Kurt this Saturday, June 13 at 10 AM ET for quick phone privacy and security fixes.
See Kurt’s 2026 picks for practical tech and everyday upgrades.
7 ways you can protect yourself after a data breach like this
1) Beware of phishing attempts and use strong antivirus software: After a data breach, scammers often use the stolen data to craft convincing phishing messages. These can come via email, text, or phone calls, pretending to be from trusted companies. Be extra cautious about unsolicited messages with links asking for personal or financial details, even if they reference recent orders or transactions. The best way to safeguard yourself from malicious links is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.
2) Invest in identity theft protection: Given the exposure of personal data, such as names, addresses, and order details, investing in identity theft protection services can provide an extra layer of security. These services monitor your financial accounts and credit report for any signs of fraudulent activity, alerting you to potential identity theft early on. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.
One of the best parts of my #1 pick, Identity Guard, is that they have identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.
Exclusive CyberGuy deal: 66% off Ultra Annual Plans: Get the Identity Guard Ultra protection to protect your identity and credit for as little as $9.99/mo (lowest offered anywhere) for the first year.
See my tips and best picks on how to protect yourself from identity theft.
3) Enable two-factor authentication (2FA) on accounts: Enabling two-factor authentication adds an extra layer of security to your online accounts. Even if hackers get hold of your login credentials, they won’t be able to access your accounts without the second verification step, such as a code sent to your phone or email. This simple step can significantly reduce the risk of unauthorized access to sensitive personal information.
4) Update your passwords: Change passwords for any accounts that may have been affected by the breach, and use unique, strong passwords for each account. Consider using a password manager. This can help you generate and store strong, unique passwords for all your accounts. Our top pick for a password manager is NordPass. NordPass is a secure and user-friendly password manager that uses zero-knowledge and military-grade XChaCha20 encryption to protect your data. It supports Windows, macOS, Linux, Android, iOS, and major browsers while offering unlimited password storage, secure sharing, password health reports, data breach monitoring, auto-fill, and emergency access.
Get more details about my best expert-reviewed Password Managers of 2025 here.
5) Remove your personal data from public databases: If your personal data was exposed in this breach, it’s crucial to act quickly to reduce your risk of identity theft and scams. A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan 200+ websites for your information, remove it, and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $5.99/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 200+ data brokers. You can add up to 3 emails, 3 home addresses and 3 phone numbers (U.S. citizens only) and have them removed from data-broker databases. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
Get Incogni for your family (up to 4 people) here
MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC
Kurt’s key takeaway
The Zacks Investment breach highlights just how real the threat of cyberattacks is for financial institutions. With millions of users affected and personal data exposed, the risks of scams and identity theft are higher than ever. The fact that Zacks hasn’t said much about the breach only adds to the uncertainty for those impacted. As these types of attacks become more common, it’s more important than ever to stay on top of your online security—use unique passwords, keep an eye on your accounts, and stay alert for any signs of suspicious activity.
Should there be stricter regulations for how companies disclose breaches and protect customer data? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.
🎙 Now Streaming: My New Podcast: The CyberGuy Report
Kurt’s Top Deals
Deals move fast and inventory can be limited, so don’t wait too long.
| 🔥 Editor’s pick  Summer entertaining Ninja SLUSHi Machine (26% off) Frozen drinks and slushies at home in minutes. | |
| 💰 Top deal  Outdoor essential TYPEC Solar Bug Zapper (36% off) Solar-powered bug zappers for patios and camping. |
3 comments
Yes I believe companies need to be made in strong security measures! Hackers needs blocked ! Everything I have is on the dark web and it’s a mess to clean up
Hacked firms should be required to notify clients IMMEDIATELY. In addition, companies hacked should be required to immediately contact Fed and State agencies with financial fraud responsibility so that the local public and financial firms(banks, brokerages) can be notified real time. Delay in notification is UNACCEPTABLE.
The companies that don’t keep your data secure should be required to pay for services to remove your data from the dark web in addition to credit monitoring & identity theft protection. Law enforcement needs to step it up & arrest the hackers here & abroad. The hackers need to sentenced to prison for a minimum of 20 years for havoc they are creating.