At a glance.
- Data dump exposes millions of Zacks Investment Research user records.
- US courts use accountability apps to spy on the accused.
Data dump exposes millions of Zacks Investment Research user records.
Data breach notification service Have I Been Pwned (HIBP) says Zacks Investment Research suffered a previously undisclosed data breach in 2020 that exposed 8.8 million user records. HIBP founder Troy Hunt says he was sent a database containing the user records this weekend, and the data appears to have been published around May 10th, 2020. Last January Zacks reported a data breach that occurred between November 2021 and August 2022, but HIBP says the newly discovered data were acquired prior to that incident. Not long after HIBP learned of the new database, it was also posted on the Exposed hacking forum, a recently-emergent marketplace for stolen data. The compromised data include customer email addresses, usernames, unsalted SHA256 passwords, street addresses, phone numbers, and first and last names. Bleeping Computer notes that after learning of the breach disclosed in January, Zacks initiated a password reset procedure for impacted accounts, but unfortunately it can be assumed that this reset did not account for the users who were exposed in this newly discovered 2020 breach.
Erich Kron, Security Awareness Advocate at KnowBe4, cautioned that while paycard and other financial data are important, any personal information can be exploited in social engineering attacks:
"While a focus on their earlier response is around the fact that credit cards and financial information were not stolen at that time, it's still important to understand that any information bad actors get can be used against a person in social engineering attacks. If cyber criminals have information about previous dealings with an organization, they can easily use this to develop trust with a potential victim. Referencing earlier trades or other activity between the organization and potential victim can certainly help the victim lower their defenses. It will be interesting to see what information was lost when Zacks confirms this latest breach. In addition to the potential reputational issues of having multiple breaches, the loss of this many records could potentially cost them significant amounts of money in regulatory fines. People who have done business with Zacks really need to be on the lookout for potential social engineering attacks from bad actors using the information they have stolen. This means being very careful when clicking links, opening documents or disclosing sensitive information in response to any email, text message, or phone call moving forward. Since cyber criminals have access to almost 9 million of their customers, it is a safe bet that these bad actors are going to use that information against them."
Ani Chaudhuri, CEO of Dasera, agrees that the data breach, as reported, is cause for concern. "The recent data breach at Zacks Investment Research is profoundly concerning and highlights data security's complex and ever-evolving nature. The breach, impacting 8.8 million customers, is a stark reminder that no organization is immune to cyber threats. The details of the Zacks breach have not been disclosed. Determining the specific cause of a breach often requires a thorough investigation by cybersecurity experts and forensic analysis of the affected systems," Chaudhuri wrote, adding:
"It is essential for organizations to continually assess and enhance their security measures to mitigate the risk of such incidents because defending against attacks and data breaches is a formidable challenge for companies today. The ever-evolving threat landscape and the sophisticated tactics employed by malicious actors make it challenging to anticipate and mitigate every potential vulnerability. Companies must cover the full scope of their attack surface, which includes safeguarding networks, applications, endpoints, and data, while also considering the diverse range of bad actors, including hackers, insider threats, and nation-state actors. Protecting against these threats requires a multi-layered approach, combining robust security measures, continuous monitoring, threat intelligence, employee awareness and training, and proactive incident response strategies.
"While Zacks previously disclosed a breach between November 2021 and August 2022, the recently discovered breach dates back to May 10th, 2020. The leaked database contains sensitive customer information, including email addresses, usernames, passwords, addresses, phone numbers, and more.
"The implications of this breach are significant, as threat actors may exploit the leaked data for malicious purposes such as phishing or credential-stuffing attacks. All Zack users must immediately change their passwords to unique ones. Furthermore, if you use the same password at other sites, it is essential to update those passwords to ensure your accounts remain secure.
"This incident underscores the need for a collaborative approach to data security. Organizations, industry leaders, and individuals must work together to strengthen security measures, implement robust safeguards, and stay vigilant against evolving threats. Protecting sensitive data requires continuous efforts and a shared commitment to safeguarding customer trust.
"Let us use this unfortunate event as a reminder of the importance of prioritizing data security, fostering a culture of cybersecurity awareness, and implementing comprehensive measures to protect sensitive information. Together, we can mitigate risks, address vulnerabilities, and build a more resilient digital landscape."
Paul Bischoff, Consumer Privacy Advocate at Comparitech, effectively winced at stolen data appearing on a hacking forum before the affected company disclosed the breach to affected individuals. "It's never a good sign when a breached database is posted on hacker forums before the owners disclose the breach to users," he wrote. That usually means the owner was either not aware of the breach or they intentionally hid it, neither of which is a good look. Zacks customers should be on the lookout for targeted phishing messages from scammers posing as Zacks or a related company. Scammers may use personal information from the breached database to make their messages more convincing. Never click on links or attachments in unsolicited emails!"
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, was also disturbed by the lag between breach and disclosure. "Zacks customers will want to stay on high alert for phishing attempts, new accounts, and other malicious actions using the already stolen information. It is unfortunate that at least one of these breaches happened a few years ago without being noticed until just recently."
US courts use accountability apps to spy on the accused.
Wired offers an in-depth look at how accountability apps are being used to surveil the devices of people who are awaiting trial or released on parole. In one case, a man living in the US state of Indiana was charged with possession of child sexual abuse material. The court ordered that he not have access to any electronic devices as he awaited trial, and to make sure he adhered to this order, the court required him to install the accountability app Covenant Eyes on his devices, as well as those of his family members. Covenant Eyes, which is popular among churches and parents, monitors everything a user does on their devices, and then sends the data to an “ally” or “accountability partner” for review. The app sweeps up everything from bank statements to phone records to online purchases, and takes at least one screenshot per minute.
Covenant Eyes’ terms of service clearly state that it is not to be used in a “premeditated legal setting,” but that hasn’t stopped courts in at least five states from using the app to scrutinize the online activities of parolees or those awaiting trial. In the case of the Indiana man, even his children have been living in fear, knowing their every digital move is being monitored and could land him behind bars. Pilar Weiss, founder of the National Bail Fund Network, stated, “This is the most extreme type of monitoring that I’ve seen. It’s part of a disturbing trend where deep surveillance and social control applications are used pretrial with little oversight.” Further complicating matters, Wired found that Covenant Eyes is unable to differentiate between intentional web activity and unintentional background activity, meaning a surveillance subject could be accused of accessing a site he or she has not actually visited. Jonathan Manes, an attorney at the MacArthur Justice Center’s Illinois office, says, “This feels like an extraordinarily intrusive violation of the family’s First Amendment rights to be able to access the internet and communicate without being monitored.” However, legal experts say until there’s more oversight over how courts deploy surveillance tech, accountability apps will continue to fall into a legal gray area.