Zacks 2020 Data Breach

Zacks Investment Research Breach (2020): 8.9 Million Customer Records Including Passwords & Home Address Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationFinancialEmail AddressFull NamePasswordPhone NumberPhysical AddressUsername
Low SeverityWebsite / service breach

Zacks Investment Research Breach (2020): 8.9 Million Customer Records Including Passwords & Home Address Exposed

Financial research and data firm.

Verified by ObscureIQ Intelligence
17/100Breach Risk Index
8Data Value
10Market Recency
1052dSince Breach

Breach Intelligence Summary

Entity: Zacks · Actor: Unknown · Sources: 5 references
Attack: Misconfiguration
Profile: Company · Financial research and analysis · Investment data and advisory services · USA
Timeline: Breach (2020-05-10) · Indexed (Jun 10, 2023) · Year (2020)
Exposure: 8.9M records · 6 fields: Email Address, Full Name, Password, Phone Number, Physical Address, Username
Status: Confirmed

Executive Summary

Zacks Investment Research, a Chicago-based financial data and analysis firm, suffered a data breach affecting approximately 8.9 million customer records. The breach was first disclosed in December 2022, with Zacks initially reporting that around 820,000 customers were affected by unauthorized access occurring between November 2021 and August 2022. In June 2023, a far larger dataset containing records from nearly 8.8 million Zacks users appeared on a hacking forum. That dataset appeared to originate from a separate, earlier incident, with the most recent records dated May 2020. The attack pathway involved a misconfiguration that allowed direct access to customer data. The exposed data included full names, usernames, email addresses, home addresses, phone numbers, and passwords. The passwords were stored as unsalted SHA-256 hashes, a weak form of protection that makes them relatively easy to crack with modern tools. Zacks described the passwords as "encrypted," but unsalted SHA-256 is not encryption and provides limited security. The combination of contact details and crackable passwords creates serious exposure for affected individuals. No major regulatory action or settlement specific to this breach has been publicly documented. Zacks did acknowledge in later statements that the unauthorized parties had also accessed customer passwords beyond what was initially reported. People whose data was exposed face elevated risks of phishing attacks, investment fraud, and account takeovers, particularly given that Zacks customers are identifiable as active investors, which increases the credibility and targeting precision of financial scams.

ObscureIQ assessment: High risk of spearphishing, investment fraud, and advisory impersonation. Subscription and research-interest data can reveal investor intent and increase scam credibility.

Breach Impact

Data from Zacks dating to May 2020 surfaced publicly in 2022 and again in broader circulation in 2023, ultimately exposing approximately 8.9 million customer records including email addresses, usernames, passwords, phone numbers, and home addresses. Zacks disclosed a breach affecting 820,000 customers in December 2022, but the subsequently circulated corpus substantially exceeded that figure. The gap between the disclosed scope and the actual dataset drew criticism. No settlement or major regulatory action specific to this incident has been documented.

About Zacks

Zacks Investment Research is a Chicago-based financial research and data firm providing investment analysis, stock screening tools, earnings estimate data, and advisory services to retail and institutional investors. The company is private and has operated since 1978 as a provider of proprietary earnings data, analyst ratings, and market intelligence.

Why They Hold Your Data

Investment research and advisory firms collect subscriber identity, contact details, billing records, newsletter subscriptions, and research-consumption behavior tied to financial analysis services.

Recent Developments

Zacks has continued to operate as a financial research platform through a period in which it experienced multiple distinct data security incidents across 2020, 2023, and 2024. The pattern of repeated breaches drew attention from security researchers and media. No major organizational changes beyond the breach response context have been prominently reported.

Data Points Exposed

6 verified field types
Email Address
Full Name High
Password Critical
Phone Number
Physical Address High
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Home targeting, stalking & physical threat
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Zacks breach?

Zacks Investment Research, a Chicago-based financial data and analysis firm, suffered a data breach affecting approximately 8.9 million customer records. The breach was first disclosed in December 2022, with Zacks initially reporting that around 820,000 customers were affected by unauthorized…

What data was exposed?

Verified fields include Email Address, Full Name, Password, Phone Number, Physical Address, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation