Zacks Customer Data Posted Online in Expanded Breach Exposing Millions
Investment research firm Zacks was linked to multiple customer data exposures after datasets allegedly stolen from the company were posted on a popular hacking forum. Zacks first disclosed a breach in December 2022, and reporting in early 2023 said about 820,000 customers were affected. A larger dataset later surfaced in June 2023, reportedly containing records for nearly 9 million customers, including names, usernames, email addresses, physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes.
A separate breach allegedly occurred in June 2024 and was later published online, with the leaked data described as a superset of the earlier incident and expanding the exposure to about 12 million unique email addresses. The newer dataset reportedly also included IP addresses alongside names, usernames, physical addresses, phone numbers, and unsalted SHA-256 password hashes. Zacks acknowledged unauthorized access to customer passwords after the earlier disclosures, but the company reportedly did not respond to multiple requests for comment on the 2024 incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Zacks reportedly does not respond to requests for comment on 2024 breach
Regarding the alleged 2024 breach, Zacks reportedly did not respond to multiple requests for comment. This contrasted with the company's public acknowledgment of the earlier breach.
Data from alleged 2024 Zacks breach is posted online
Following the June 2024 incident, the stolen data was posted on a popular hacking forum. The leak allegedly included 12 million unique email addresses, plus IP addresses, physical addresses, names, usernames, phone numbers, and unsalted SHA-256 password hashes.
Alleged second Zacks breach occurs
In June 2024, Zacks was allegedly breached again. The later-leaked dataset was described as a superset of the earlier incident and reportedly exposed millions of additional records.
Zacks says attackers also accessed zacks.com customer passwords
After disclosure of the larger 2023 breach dataset, Zacks stated that unauthorized parties had also accessed zacks.com customer passwords. The company said those passwords were stored in an encrypted format.
Larger alleged Zacks dataset circulates on hacking forum
In June 2023, a much larger dataset allegedly tied to Zacks was widely circulated on a hacking forum. The data reportedly contained records for nearly 9 million customers, including personal details and unsalted SHA-256 password hashes.
Reports say 2022 Zacks breach affected about 820,000 customers
In January 2023, reports stated that the December 2022 Zacks breach impacted approximately 820,000 customers. This quantified the scope of the initially disclosed incident.
Zacks discloses a data breach
Zacks disclosed a data breach in December 2022. This is the earliest confirmed incident referenced in the materials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Betterment Social-Engineering Breach Exposes 1.4 Million Customer Records
**Betterment** disclosed that a **social engineering** attack against a **third-party platform account** used for customer communications enabled unauthorized access to internal systems in early January, leading to the exposure of personal data tied to **1,435,174 accounts**. The intruder used the access to send **fraudulent crypto-themed promotional messages** impersonating Betterment and promising to “triple” cryptocurrency sent to attacker-controlled wallets (including **Bitcoin and Ethereum** addresses). Betterment said it revoked the unauthorized access the same day it was detected, warned customers to ignore the messages, and initiated a forensic investigation with external incident-response support. Breach analysis and indexing by **Have I Been Pwned** indicated the exposed dataset included **email addresses, names, and location data**, with reporting also citing additional PII such as **dates of birth, physical addresses, phone numbers, device information, and employment-related details**. Betterment stated there is **no evidence** that customer investment accounts were accessed or that **passwords/authentication tokens** were compromised, characterizing the incident as an exposure of contact/identity data rather than account credentials. Separate reporting noted Betterment also experienced **intermittent outages attributed to a DDoS attack and extortion attempts** around the same period, but this was described as distinct from the social-engineering-driven data exposure.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
DentaQuest Breach Exposed Sensitive Data of 2.6 Million Accounts
DentaQuest, a major U.S. dental benefits administrator owned by Sun Life, disclosed a cybersecurity incident involving unauthorized access to a limited portion of its network, exposing sensitive information tied to **2.6 million accounts**. The breach was first publicized by the extortion group **ShinyHunters**, which claimed to have stolen more than **234 GB** of data and later leaked the dataset after an alleged failure to reach an agreement with the company. Analysis of the leaked data found records containing email addresses, full names, phone numbers, dates of birth, genders, government-issued IDs, and health insurance information. DentaQuest said its systems remained operational and customer service saw only limited disruption while external experts investigated the scope of the compromise, but the exposed data significantly increases the risk of phishing, social engineering, identity theft, and related fraud targeting affected individuals.
Jun 12, 2026