Zacks Investment Research (Zacks) reportedly suffered an older, previously undisclosed data breach affecting 8.8 million customers, with the database now shared on a hacking forum.

The company before disclosed a data breach which occurred between November 2021 and August 2022, warning that unauthorized intruders on the network accessed the personal and sensitive information of approximately 820,000 customers.

“We have no reason to believe that the customer’s credit card information, any other financial information of the customer, or any other personal information of the customer was accessed,” said Notice from Zacks at the time.

However, the data breach notification service Have I been pwned (HIBP) listed another Zacks breach over the weekend after it received a database containing 8.8 million user records.

HIBP creator Troy Hunt told BleepingComputer that this database appears to have been cleared around May 10, 2020, before the previous breach at Zacks.

Hunt told BleepingComputer that the database contains email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names and other data of Zacks customers.

Financial information such as credit card and bank account details are not included in the dump, and it does not appear that hackers accessed this type of data.

Unfortunately, Zacks had previously initiated a password reset procedure for the breach disclosed in January, but it’s safe to assume that the remaining 90% of hacked accounts that weren’t identified as such weren’t included in the investigation. extent, leaving them exposed to account takeover. , credential stuffing and SIM swapping.

Although Zacks didn’t respond to BleepingComputer’s questions, Hunt told us that Zacks plans to notify affected users, but there’s no timeline for when that will be.

Have I Been Pwned users can now enter their email address on the site and be notified if it was found in newly leaked Zacks data.

Zacks data shared on hacking forum

Shortly after adding the data breach to Have I Been Pwned, the Zacks database was posted on the hacking forum Exposed, a site used to share and sell stolen data.

Exposed is a new hacking forum that recently appeared that gained notoriety after database leak containing the details of almost half a million now missing RaidForums members.

Now that the database has been publicly leaked, threat actors will likely misuse it in phishing or credential stuffing attacks.

Therefore, all Zacks users are strongly advised to change their passwords to unique passwords used only on this site.

If you use the same Zacks password on other sites, you should also change the passwords on those sites to a unique password.