Zacks Data Breach
Zacks Investment Research Breach (2020): 8.9 Million Customer Records Including Passwords & Home Address Exposed
Financial research and data firm.
Risk Interpretation
High risk of spearphishing, investment fraud, and advisory impersonation. Subscription and research-interest data can reveal investor intent and increase scam credibility.
Impact & Downstream Threats
Data from Zacks dating to May 2020 surfaced publicly in 2022 and again in broader circulation in 2023, ultimately exposing approximately 8.9 million customer records including email addresses, usernames, passwords, phone numbers, and home addresses. Zacks disclosed a breach affecting 820,000 customers in December 2022, but the subsequently circulated corpus substantially exceeded that figure. The gap between the disclosed scope and the actual dataset drew criticism. No settlement or major regula
- Credential stuffing against reused passwords across other platforms
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Zacks Investment Research, a Chicago-based financial data and analysis firm, suffered a data breach affecting approximately 8.9 million customer records. The breach was first disclosed in December 2022, with Zacks initially reporting that around 820,000 customers were affected by unauthorized access occurring between November 2021 and August 2022. In June 2023, a far larger dataset containing records from nearly 8.8 million Zacks users appeared on a hacking forum. That dataset appeared to originate from a separate, earlier incident, with the most recent records dated May 2020. The attack pathway involved a misconfiguration that allowed direct access to customer data. The exposed data included full names, usernames, email addresses, home addresses, phone numbers, and passwords. The passwords were stored as unsalted SHA-256 hashes, a weak form of protection that makes them relatively easy to crack with modern tools. Zacks described the passwords as "encrypted," but unsalted SHA-256 is not encryption and provides limited security. The combination of contact details and crackable passwords creates serious exposure for affected individuals. No major regulatory action or settlement specific to this breach has been publicly documented. Zacks did acknowledge in later statements that the unauthorized parties had also accessed customer passwords beyond what was initially reported. People whose data was exposed face elevated risks of phishing attacks, investment fraud, and account takeovers, particularly given that Zacks customers are identifiable as active investors, which increases the credibility and targeting precision of financial scams.
About Zacks
Zacks Investment Research is a Chicago-based financial research and data firm providing investment analysis, stock screening tools, earnings estimate data, and advisory services to retail and institutional investors. The company is private and has operated since 1978 as a provider of proprietary earnings data, analyst ratings, and market intelligence.
Why They Hold Your Data
Investment research and advisory firms collect subscriber identity, contact details, billing records, newsletter subscriptions, and research-consumption behavior tied to financial analysis services.
Recent Developments
Zacks has continued to operate as a financial research platform through a period in which it experienced multiple distinct data security incidents across 2020, 2023, and 2024. The pattern of repeated breaches drew attention from security researchers and media. No major organizational changes beyond the breach response context have been prominently reported.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, full_name, password, phone_number, physical_address, physical_address:home, username
Dark Web Verification
- Dataset containing ~8.9M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: Zacks Data Breach;zacks-2020
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Zacks
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam