Zacks 2024 Data Breach

Zacks Investment Research Breach (2024): 12 Million Customer Records Including Passwords, Phone & Address Exposed :: Second Confirmed Breach | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

FinancialEmail AddressFull NameIP AddressPasswordPhone NumberPhysical AddressUsername
Low SeverityWebsite / service breach

Zacks Investment Research Breach (2024): 12 Million Customer Records Including Passwords, Phone & Address Exposed :: Second Confirmed Breach

Financial research and data firm.

Verified by ObscureIQ Intelligence
34/100Breach Risk Index
10Data Value
25Market Recency
439dSince Breach

Breach Intelligence Summary

Entity: Zacks · Actor: Unknown · Sources: 4 references
Attack: Unknown
Profile: Company · Financial research and analysis · Investment data and advisory services · USA
Timeline: Breach (2020-05-10) · Indexed (Feb 12, 2025) · Year (2024)
Exposure: 12.0M records · 7 fields: Email Address, Full Name, IP Address, Password, Phone Number, Physical Address, Username
Status: Confirmed

Executive Summary

Zacks Investment Research, a Chicago-based financial data and analysis firm, suffered a data breach in 2024 when a threat actor published a dataset on a prominent hacking forum containing records from approximately 12 million customers. The exposure followed a separate breach Zacks confirmed in 2023. The 2024 dataset appears to be a superset of the earlier incident, expanding the cumulative scale of exposed customer data. The attack vector remains unknown, and Zacks did not respond to multiple attempts to contact them about the 2024 publication. The exposed data includes email addresses, names, usernames, passwords, phone numbers, physical addresses, and IP addresses. The passwords were stored as unsalted SHA-256 hashes, a weak protection method that makes them significantly easier to crack than properly secured alternatives. Affected individuals face elevated risk of account takeover, identity theft, and targeted financial fraud. Because Zacks serves retail and institutional investors, their association with the platform can make them more convincing targets for investment scams and impersonation schemes. Zacks publicly acknowledged the 2023 breach but has not issued detailed statements confirming the 2024 forum publication as a distinct incident. No regulatory action or litigation has been publicly confirmed in connection with the 2024 exposure. People whose data was included should treat their Zacks credentials as compromised, change any reused passwords across other accounts, and remain alert to phishing attempts that may reference their investment activity or financial interests.

ObscureIQ assessment: High risk of spearphishing, investment fraud, and advisory impersonation. Subscription and research-interest data can reveal investor intent and increase scam credibility.

Breach Impact

In June 2024 a threat actor published to a hacking forum a dataset described as a superset of the prior Zacks breach material, adding approximately 12 million further records and representing cumulative exposure of personal and account data from the company's customer base across multiple incidents. Zacks acknowledged the prior 2023 breach but has not made detailed public statements confirming the 2024 publication as a distinct incident. The pattern of successive, escalating exposures from the same organization drew sustained attention in breach intelligence communities.

About Zacks

Zacks Investment Research is a Chicago-based financial research and data firm providing investment analysis, stock screening tools, earnings estimate data, and advisory services to retail and institutional investors. The company is private and has operated since 1978 as a provider of proprietary earnings data, analyst ratings, and market intelligence.

Why They Hold Your Data

Investment research and advisory firms collect subscriber identity, contact details, billing records, newsletter subscriptions, and research-consumption behavior tied to financial analysis services.

Recent Developments

Zacks has continued to operate as a financial research platform through a period in which it experienced multiple distinct data security incidents across 2020, 2023, and 2024. The pattern of repeated breaches drew attention from security researchers and media. No major organizational changes beyond the breach response context have been prominently reported.

Data Points Exposed

7 verified field types
Email Address
Full Name High
IP Address
Password Critical
Phone Number
Physical Address High
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Physical stalking, mail fraud & identity verification
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Zacks breach?

Zacks Investment Research, a Chicago-based financial data and analysis firm, suffered a data breach in 2024 when a threat actor published a dataset on a prominent hacking forum containing records from approximately 12 million customers. The exposure followed a separate breach Zacks confirmed in…

What data was exposed?

Verified fields include Email Address, Full Name, IP Address, Password, Phone Number, Physical Address, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation