Stock market data giant Zacks Investment Research is sending out breach notification letters to 820,000 people after discovering a breach that lasted nearly one year.
In filings with the Maine Attorney General’s office, the company revealed that it suffered a breach that lasted from November 2021 to August 2022. The company did not respond to requests for comment about why the breach lasted so long and why it took so long for them to notify victims.
The breach involved names, addresses, phone numbers, email addresses, and passwords used for Zacks.com.
Founded in 1978, Zacks provides users with a range of investment information ranging from earnings predictions to ratings that help people make stock market trades.
“On December 28, 2022, Zacks learned that an unknown third-party had gained unauthorized access to certain customer records described below,” the company said.
“The information involved comes from an older database of Zacks customers who had signed up for the Zacks Elite product between November 1999 through February 2005.”
Zacks said it has implemented security measures that make it so those affected cannot access their accounts with the compromised password. When victims check their account they will be prompted with a screen mandating that they create a new password.
The company noted that it is still investigating the incident and implementing other measures to protect the security of their systems.
They will not be providing any credit monitoring service to the 820,000 people affected by the breach but urged victims to watch their financial accounts for any unknown charges.
Zacks also warned those affected that if they use the same leaked password on other websites, they should change those as well.
KnowBe4’s Roger Grimes said that while there can always be extenuating circumstances around why it took so long to notify victims, the company’s lengthy wait left victims exposed for an extended period of time.
“A month to notify affected customers that their current passwords, which are often shared with other unrelated sites and services, seems a bit excessive,” he said.
“You would hope any breached company would notify affected customers within days and not take weeks to make an official announcement.”