BleepingComputer reports that U.S. investment research firm Zacks Investment Research had data from nearly 12 million accounts purportedly stolen in a June breach leaked on BreachForums late last month.
Infiltration of Zacks' active directory as domain admin enabled the theft of source code belonging to the company's primary website and 16 others, according to the threat actor, who has been peddling the exfiltrated account information, including full names, usernames, physical and email addresses, and phone numbers, for a small amount of cryptocurrency.
While Zacks has yet to confirm the data compromise, Have I Been Pwned disclosed the presence of 12 million unique email addresses, usernames, IP addresses, and unsalted SHA-256 hashed passwords in the leaked Zacks database. However, most of the exposed email addresses had already been included in previous data breaches, noted HIBP.
Such a development comes two years after Zacks reported having more than 9 million of its customers impacted by a pair of data breaches.
