Zacks Investment Research has confirmed that a hacker attack between 2021 and 2022 resulted in the potential compromise of data belonging to 820,000 customers.
The company made the announcement in a notice document addressed to users earlier this week, saying it discovered the breach on December 28, 2022.
“Zacks learned that an unknown third party had gained unauthorized access to certain customer records described below,” the company wrote. “We believe the unauthorized access occurred sometime between November 2021 and August 2022.”
According to Zacks, the data theft affected an older database of Zacks customers who signed up for the Zacks Elite product between November 1999 and February 2005.
“The specific information we believe to have been accessed is your name, address, phone number, email address, and password used for Zacks.com,” reads the notice document.
“We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed.”
The company added that it has already implemented additional security measures to prevent threat actors from accessing compromised accounts using stolen passwords.
“It looks like Zacks is doing a lot of the right things in order to restore trust with customers. I do wonder why it took almost a month from detecting the breach to notify customers and why it took 3-4 months to notice the breach?” asked Roger Grimes, data-driven defense evangelist at KnowBe4.
“[Taking] a month to notify affected customers that their current passwords [were compromised], which are often shared with other unrelated sites and services, seems a bit excessive.”
Grimes also told Infosecurity via email that, at the same time, there can always be extenuating circumstances, and it may be that the company took that long to figure out what happened so they could clearly and accurately communicate it to customers.
“Still, you would hope any breached company would notify affected customers within days and not take weeks to make an official announcement.”
The Zacks breach notice comes days after American fast food restaurant chain Five Guys also confirmed it had been hacked last year.