The Ultimate Guide to Non-Human Identities Report

Zacks Breached, Again: The Fallout for 12 Million Users

In February 2025, the cybersecurity world faced yet another wake-up call, this time, the target was Zacks Investment Research, a well-known investment analysis firm. A hacker, going by the alias “Jurak,” claimed responsibility for leaking sensitive data belonging to 12 million Zacks customers. This breach has left millions exposed to serious risks like identity theft, credential stuffing, and financial fraud. But what’s even more alarming is that this isn’t the first time Zacks has fumbled the ball when it comes to data security.

What Happened?

Jurak claims they were able to breach Zacks’ Active Directory (AD), gaining domain administrator account privileges, essentially, the crown jewels in terms of access within any organization. With this level of control, Jurak was able to steal source code from Zacks’ primary website (zacks.com) and 16 internal and external web applications, exposing backend logic, API keys, and possibly much more. The attack goes beyond just stealing data, it reveals gaping holes in Zacks’ internal security.

Zacks Break Attack Pathway

What Was Stolen?

The exposed data includes a list of highly sensitive information:

  • Password Hashes – Unfortunately, Zacks used a weak, unsalted SHA-256 hash to store passwords which puts users at even greater risk.
  • Personally Identifiable Information (PII) – Full names, addresses, and phone numbers.
  • Credentials – Usernames and email addresses.
  • Technical Data – Customer IDs, IP addresses, time zone codes, and even timestamps for password resets were leaked, giving attackers a treasure trove of information.
Zacks leaked secrets

Why Was Password Storage Such a Disaster?

The use of unsalted SHA-256 hashing to store passwords is one of the most serious flaws in this breach. Without adding a unique random string (a “salt”) to each password before hashing. Attackers can easily use precomputed rainbow tables to crack many passwords, opening the door to all kinds of attacks, especially if users reused those same passwords elsewhere.

Zacks’ History of Breaches

This breach is part of a concerning pattern at Zacks:

  • December 2022 – An unauthorized party accessed an old database, compromising 820,000 Zacks accounts.
  • June 2023 – Another breach exposed 8.8 million user records on a hacking forum. Compromised data included names, email addresses, and passwords.
  • January 2025 – The most recent breach affects 12 million users.

Three major breaches in three years suggest a fundamental flaw in Zacks’ approach to security. Repeated failures to protect user data raise serious questions about whether they’re learning from past mistakes or simply patching problems temporarily.

What’s at Stake for Affected Users?

For the 12 million individuals impacted, the consequences go far beyond just changing a password:

  • Credential Stuffing – Since passwords were stored in a weak unsalted hash, they are easily crackable. If users reused the same passwords on banking, email, or investment accounts, those accounts are now vulnerable.
  • Phishing and Social Engineering: With stolen personal information in hand, hackers can launch highly targeted phishing attacks, tricking users into handing over even more sensitive data.
  • Identity Theft: Full names, addresses, and phone numbers can be used to create fraudulent accounts.
  • Dark Web Exposure: Once exposed, this data can be sold and re-sold on underground marketplaces, meaning the risks don’t end with this single breach.

What Can Be Done?

  • Least Privilege Access – Enforce least privilege policies for all NHIs, ensuring they only have access to the resources needed for their specific function. 
  • Micro-Segmentation – Segment NHIs across different environments to minimize lateral movement within the network in the event of a breach. NHIs with administrative privileges should be isolated in secure zones with rigorous monitoring.
  • Credential Rotation – Implement automatic credential rotation policies for NHIs, Rotating credentials regularly reduces the risk of stolen credentials being used for prolonged periods of time.
  • Use Short-Lived Tokens – Replace long-term static credentials with short-lived, ephemeral tokens that are regularly rotated and scoped to the minimum necessary privileges.
  • Avoid Hardcoded Secrets – Ensure that no API keys or other NHI credentials are hardcoded into application source code. 
  • Implement Stronger Cryptographic Algorithms – The use of unsalted SHA-256 for storing passwords is insufficient for protection. Organizations should use stronger, modern hashing algorithms.

Conclusion

This breach is not just about Zacks, it highlights a broader issue within the financial sector. Investment firms store vast amounts of high-value personal and financial data, making them prime targets for cybercriminals. Yet, time and again, we see companies failing to implement basic security hygiene, such as strong password hashing and proactive network monitoring.

With the increasing sophistication of cyber threats, firms like Zacks must evolve beyond reactive security measures and adopt a proactive, layered security approach. Until then, incidents like this will continue to occur, putting millions of users at risk.

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.