Zacks Investment Research confirmed Tuesday that an unconfirmed number of Zacks.com customers had their encrypted passwords stolen as part of a prior data breach by an unknown third party. The company said the breach was tied to an unspecified previous hack when a third party pilfered "a smaller subset of customers whose unencrypted passwords were compromised."

The statement to SC Media comes a day after a report by breach notification website Have I Been Pwned? (HIBP) revealed that data tied to nearly 9 million Zacks.com customers are reportedly circulating “on a popular hacking forum.”

HIBP said data “exposed” includes names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes.

“We have confirmed that in association with a prior data breach disclosed by Zacks, which relates to a smaller subset of customers whose unencrypted passwords were compromised, the unauthorized third parties also gained access to encrypted passwords of zacks.com customers,” according to a written statement to SC Media by Terry Ruffolo, media relations director for Zacks.

Ruffolo did not confirm how many customers were impacted and said Zacks has “no reason to believe any customer credit card information or any other customer financial information was accessed for any Zacks customer at any time.”

Scope of breach pegged at 8.9 Million

According to the Monday HIBP report, data tied to Zacks customers dates back to May 2020.

“In December 2022, the investment research company Zacks announced a data breach. The following month, reports emerged of the incident impacting 820k customers,” HIBP wrote.

The 2022 breach may have included additional data, HIBP suggests. “[I]n June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum,” the report states.

In all, 8,929,503 Zacks customers are impacted, HIBP said.

“On disclosure of the larger breach, Zacks advised that in addition to their original report ‘the unauthorised third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format,'” HIBP wrote.

A BleepingComputer report posted Monday quotes HIBP’s founder Troy Hunt stating the Zacks’ database was likely compromised around May 10, 2020, and data dumped on a hacking forum.

Zacks prior attack

In its statement to SC Media, Zacks said it is taking steps to enhance password security.

“We regret any inconvenience to our customers and we remain vigilant in protecting their personal information,” the company said.

In a “breach” notification posted to its website tied to a December 2022 incident Zacks stated an unknown third-part gained unauthorized access to customer data. The statement read:

“On December 28, 2022, our team identified that an unknown third-party gained unauthorized access to certain customer records and we took immediate action to implement additional security measures to our network, and to investigate and understand the scope of the incident. While the customer information at issue is limited, and we have no indication that the accessed information has been used inappropriately, we seek to be transparent with you, our customers, and the public generally.” – Zacks.com.

Zacks' compromised data included passwords stored as unsalted with SHA-256 hashes, according to HIBP. This type of data protection meets industry expectations for protecting data, however it is not foolproof when it comes to protecting data from being compromised.

How secure are passwords stored as unsalted SHA-256 hashes?

Password hashing salting is a way to keep passwords safe if they should fall into the hands of hackers. When a password is stored, a process called salting adds a layer of password protection that can make it extremely hard — but not impossible — to create automated type dictionary attacks where computers automate account compromises.

When a password or data is salted, additional random characters are added to the text in order to strengthen it. Hashing adds additional protection and can convert plaintext (salted) passwords and transform them into a ciphertext. Ciphertext is encrypted text and Secure Hash Algorithm (SHA-256) is the type of algorithm used by Zacks. The 256 denotes the 256-bit key encryption/decryption used to protect data in transit and at rest.   

In the case of Zacks, data passwords were not salted but hashed. Techniques have been developed to bypass, not crack, SHA-256 hashed data.

“Technically speaking SHA256 password hashes are not cracked or decrypted. They are matched using a list of possible passwords, it is more akin to reversing than breaking,” according to a report titled “Pop that Hash.”