Full Report
Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts. [...]
Analysis Summary
# Incident Report: Mass Account Data Leak at Zacks Investment
## Executive Summary
A security incident resulted in the exfiltration and public leak of account data belonging to approximately 12 million Zacks Investment users. The attackers achieved high-level access, obtaining domain admin credentials and stealing source code for the company's main website and 16 other related sites. The leaked data included emails, usernames, unsalted SHA-256 hashed passwords, IP addresses, phone numbers, and physical addresses.
## Incident Details
- **Discovery Date:** Around the time the data was leaked and added to Have I Been Pwned (HIBP).
- **Incident Date:** Not specified, but the data leak is implied to be recent relative to the reporting.
- **Affected Organization:** Zacks Investment
- **Sector:** Financial Services/Investment Research
- **Geography:** Not specified (Implied US/Global based on the nature of the business)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Implied prior to lateral movement/exfiltration).
- **Vector:** Not explicitly stated, but the outcome suggests a successful compromise leading to credential theft.
- **Details:** Attackers obtained access to the company's Active Directory (AD) sufficient to secure domain administrator privileges.
### Lateral Movement
- **Details:** Achieved domain administrator access to the Active Directory, allowing broad access across the network infrastructure. Attackers were able to access source code repositories for Zacks.com and 16 other owned websites (including internal sites).
### Data Exfiltration/Impact
- **Details:** Source code for 17 websites was stolen. A database containing credentials and personal information for 12 million unique users was exfiltrated. Samples of the source code were shared publicly as proof of the breach. The leaked database was added to HIBP.
### Detection & Response
- **How it was discovered:** The incident became public knowledge when the compromised data was posted and subsequently verified by HIBP.
- **Response actions taken:** Zacks has not officially confirmed the breach. No specific internal response actions were detailed in the provided text.
## Attack Methodology
*Information derived from the observed impact, as specific technical details of the attack execution were not provided.*
- **Initial Access:** Unknown (Likely credential stuffing, phishing, or exploitation of an external vulnerability that allowed internal network access leading to AD compromise).
- **Persistence:** Domain Admin access suggests mechanisms were established to maintain high-level persistent access.
- **Privilege Escalation:** Successfully escalated privileges to **Domain Administrator** level within the Active Directory.
- **Defense Evasion:** Unknown.
- **Credential Access:** Gained access to credentials or hashes stored within the Active Directory environment.
- **Discovery:** Performed internal reconnaissance to identify and locate source code repositories for Zacks.com and 16 other related sites.
- **Lateral Movement:** Used Domain Admin privileges to move across systems and access source code storage.
- **Collection:** Harvested user account data (email, name, IP, phone, address, hashed passwords) and proprietary source code.
- **Exfiltration:** Stole the database containing 12 million user records and the source code files.
- **Impact:** Data theft and exposure of sensitive source code.
## Impact Assessment
- **Financial:** Estimated costs not available, but high due to potential regulatory fines and remediation efforts.
- **Data Breach:** Data of 12 million users, including **email addresses, IP addresses, names, physical addresses, phone numbers, and usernames**. Passwords were in the form of **unsalted SHA-256 hashes**.
- **Operational:** Potential disruption due to the compromise of source code, potentially impacting development or deployment pipelines.
- **Reputational:** Significant negative impact, marking this as potentially the third major breach impacting the company in four years.
## Indicators of Compromise
- **Network indicators:** Not provided in a defanged format.
- **File indicators:** Source code files for Zacks.com and 16 affiliated websites. A database file containing 12 million user records.
- **Behavioral indicators:** Unauthorized domain administrator activity observed on the Active Directory, specifically related to accessing source code repositories.
## Response Actions
- **Containment measures:** Not specified. (Likely required immediate multi-factor re-enrollment/password resets for all potentially affected accounts and revoking compromised credentials).
- **Eradication steps:** Not specified. (Would require cleaning the AD environment of all persistence mechanisms and ensuring Domain Admin access was secured).
- **Recovery actions:** Not specified. (Involves patching the initial entry vector and potentially rebuilding critical systems compromised by the Domain Admin access).
## Lessons Learned
- **Key takeaways:** This incident highlights a critical failure in privileged access management and network segmentation, allowing an attacker to escalate to Domain Admin level. A failure to adequately protect source code repositories also led to the theft of intellectual property alongside customer data.
- **What could have been done better:** Implementation of robust multi-factor authentication across all critical systems, especially the AD, and strict enforcement of the principle of least privilege. Proper hashing/salting practices for user passwords (the SHA-256 hashes were unsalted, increasing risk).
## Recommendations
- **Prevention measures for similar incidents:**
1. **Strengthen Credential Security:** Move away from unsalted hashes; use modern, strong key derivation functions (e.g., Argon2, scrypt) with unique salts for all stored credentials.
2. **Implement Tiered Administration:** Restrict Domain Admin credentials to highly secured jump boxes, separate from standard user workstations, utilizing Privileged Access Workstations (PAWs).
3. **Source Code Protection:** Isolate source code repositories behind stricter access controls, separate from the standard network domain used by general users, especially if these repositories contain sensitive configuration data.
4. **Proactive Monitoring:** Increase logging and anomaly detection specifically around AD login attempts, particularly for elevation to Domain Admin, and unexpected access to code repositories.