If there is one sector that outperforms healthcare in data breaches and ransomware attacks, it is funding.
Security incidents affecting financial institutions are becoming increasingly common, whether they involve banks, fintech companies or investment research companies.
The most recent cases include Zacks, an American investment research firm. Cybercriminals claimed they stole records of 15 million customers and clients, but another investigation confirmed that the actual number was 12 million.
Be protected and informed! Get security alerts and expert technical tips – Sign up for The CyberGuy Report in Cart now
Hacker illustration at work. (Kurt “Cyberguy” Knutsson)
What you need to know
Zacks’ investment violations first came to light in late January 2025 when a hacker known as “Jurak” claimed the violation in June 2024 that he had accessed Zacks’ system.
According to Hacker, they gained domain administrator privileges for Zacks’ Active Directory, a critical network security component, and were able to steal source code for Zacks.com and 16 other websites, including internal tools along with user account data. The stolen information was then put for sale on the Hacker Forum and samples were provided for payments of small cryptocurrency to prove reliability, as reported by BreepingComputer.
Further investigation confirmed the violation occurred in June 2024, releasing 12 million unique email addresses and other personal data. The fact that attackers were able to gain domain administrator access suggests a very sophisticated attack that could potentially exploit Zacks’ network security vulnerability.
This is not the first time Zacks has been breached. Previous incidents included a 2022 attack that compromised an old Zacks Elite product database from 1999 to 2005, as described on Zacks’ own violation disclosure page.
Posts of violating actors. (BleepingComputer)
Hidden Costs of Free Apps: Your Personal Information
Which data was compromised?
Zacks’ investment data breach has been confirmed to pwned (HIBP) and has made it public with various confidential user information and put the affected people at risk. The leaked data includes an email address, IP address, name, phone number, physical address, username, and a saltless SHA-256 hash password.
This type of information can be misused for phishing, identity theft, stuffing credentials, harassment, exchange of Sims, and even physical threats. Surprisingly, 93% of leaked email addresses were already publicly available for previous violations, making reused passwords an even bigger problem. Using unsalted SHA-256 hash (widely considered outdated) simply adds risk and makes it easier for attackers to crack passwords and compromise your account.
Despite the severity of the violation, Zacks Investment Research has not yet issued an official statement as of February 2025. The lack of transparency is awkward, especially considering the violations regarding security cases and the scale of Zacks’ history.
What is Artificial Intelligence (AI)?
Someone scrolling on the phone. (Kurt “Cyberguy” Knutsson)
From Tiktok to Trouble: How to weaponize your online data against you
Seven ways to protect yourself after such a data breach
1. Beware of phishing attempts and use powerful antivirus software. After a data breaches, fraudsters often use stolen data to create persuasive phishing messages. These can come by email, text, or call, pretending to be from a trusted company. Please be particularly careful about unsolicited messages with links requesting personal or financial details, even if you are referring to a recent order or transaction. The best way to protect yourself from malicious links is to install powerful antivirus software on all your devices. This protection can also warn you that it will phish email and ransomware scams and keep your personal information and digital assets safe. Get the best 2025 Antivirus Protection Winners picks for Windows, Mac, Android and iOS devices.
Click here to get your Fox business on the go
2. Investing in identity theft protection: Given the exposure of personal data such as name, address, and order details, investment in identity theft protection services may provide an additional layer of security. These services monitor financial accounts and credit reports for signs of fraudulent activity and alert you to early potential identity theft. They can also help freeze bank and credit card accounts to prevent further fraudulent use by criminals. Check out my tips and best choices on how to protect yourself from identity theft.
3. Enable 2-Factor Authentication (2FA) on your account: Enabling 2-Factor Authentication adds an additional layer of security to your online account. Even if a hacker gets his login credentials, he will not be able to access his account without a second verification step, such as a code sent to a phone or email. This simple step can significantly reduce the risk of unauthorized access to sensitive personal information.
4. Update Password: Change the password of accounts that may have been affected by the violation and use a unique, strong password for each account. Consider using a password manager. For more information about my best expert reviewed password managers of 2025, click here.
5. Delete Personal Data from Public Database: If your personal data is published for this violation, it is important to act promptly to reduce the risk of identity theft and fraud. Although there is no service that guarantees the complete deletion of data from the Internet, data deletion services are truly a wise choice. They aren’t cheap – and your privacy isn’t either. These services do all of their work by proactively monitoring and systematically erasing personal information from hundreds of websites. It has given me peace of mind and has proven to be the most effective way to erase personal data from the internet. By limiting the available information, you reduce the risk that scammers cross-referencing your data from violations, providing information they may find on the dark web, making it difficult for them to target you. Please see the top picks for data deletion services.
Massive security flaws put the most popular browsers at risk with MAC
Important takeouts for your cart
Zacks’ investment violations highlight how realistic the threat of cyberattacks is for financial institutions. With millions of users being affected and personal data exposed, the risk of fraud and identity theft is higher than ever. The fact that Zacks doesn’t say much about the violation only adds to the uncertainty of those affected. As these types of attacks become more common, it’s more important than ever to keep an eye on online security. Use a unique password, look to your account and be careful of any signs of suspicious activity.
Click here to get the Fox News app
Do businesses need stricter regulations on how they disclose their infringements and protect their customer data? Please let us know at cyberguy.com/contact
For more information about my tech tips and security alerts, head to cyberguy.com/newsletter and subscribe to our free Cyberguy Report Newsletter
Please ask your cart or tell us what stories you would like us to cover.
Follow your cart on his social channels:
Answers to the most accused Cyber ​​Guy questions:
New from Cart:
Copyright 2025 cyberguy.com. Unauthorized reproduction is prohibited.
