820k Impacted by Data Breach at Zacks Investment Research

820k-impacted-by-data-breach-at-zacks-investment-research

Stock research firm Zacks Investment Research is in the process of notifying customers that their personal information was compromised in a data breach.

Founded in 1978, Zacks Investment Research is one of the largest providers of stock research, analysis and recommendations for firms in the US.

Earlier this week, the company informed the Maine Attorney General’s Office that the personal information of 820,000 individuals was compromised after a third-party gained unauthorized access to its systems.

The data breach, the firm says, was discovered in December 2022, but the unauthorized access occurred sometime between November 2021 and August 2022.

The notification letter to the impacted customers, a copy of which was submitted to the Maine Attorney General, reveals that the unauthorized third-party had access to an older database containing information about customers who had signed up for a Zacks product between November 1999 and February 2005.

The compromised personal information includes names, addresses, phone numbers, email addresses, and passwords for Zacks.com.

“We have no reason to believe any customer credit card information, any other customer financial information, or any other customer personal information was accessed,” the company says.

Zacks says it has implemented security measures to stop the breach and that it has reset the passwords for the impacted accounts.

“When you log into your Zacks account, you will be prompted to change your password. You should also change the password for all other online accounts for which you used the same e-mail address and password as your Zacks account,” the company tells users.

Zacks told the Maine Attorney General that it will begin notifying impacted customers on January 27.

Related: 18k Nissan Customers Affected by Data Breach at Third-Party Software Developer

Related: 251k Impacted by Data Breach at Insurance Firm Bay Bridge Administrators

Related: FCC Proposes Tighter Data Breach Reporting Rules for Wireless Carriers

The post 820k Impacted by Data Breach at Zacks Investment Research appeared first on SecurityWeek.

GoTo Says Hackers Stole Encrypted Backups, MFA Settings

goto-says-hackers-stole-encrypted-backups,-mfa-settings

IT management software firm GoTo on Tuesday said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach that also affected its LastPass affiliate.

GoTo chief executive Paddy Srinivasan confirmed the security breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.

In a notice posted online, Srinivasan the encrypted backups were related to multiple GoTo-owned software products:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere

We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. 

In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.” 

Srinivasan said the company has no evidence of exfiltration affecting any other GoTo products or any of GoTo’s production systems.

Even though all account passwords were salted and hashed in accordance with best practices, Srinivasan said GoTo plans to reset the passwords of affected users and/or reauthorize MFA settings where applicable. 

“In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” the GoTo CEO said. 

In August last year, GoTo affiliate LastPass disclosed a data breach that included the theft of source code and proprietary technical information.  In November, GoTo said it was also affected by that hack, which is linked to an unnamed third-party cloud security vendor.

In a worrisome update in late December, the password management outfit admitted the hackers behind the August breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.

LastPass said the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

In addition, the unidentified actor was also able to copy a backup of customer vault data from an encrypted storage container.

The exposed container contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Related: LastPass Says Password Vault Data Hijacked in Data Breach

Related: LastPass Source Code Stolen in Data Breach

Related: GoTo, LastPass Notify Customers of New Data Breach Related to Previous Incident

Related: LastPass Found No Code Injection Attempts Following August Data Breach

The post GoTo Says Hackers Stole Encrypted Backups, MFA Settings appeared first on SecurityWeek.

Zendesk Hacked After Employees Fall for Phishing Attack

zendesk-hacked-after-employees-fall-for-phishing-attack

Customer service solutions provider Zendesk has suffered a data breach that resulted from employee account credentials getting phished by hackers.

Cryptocurrency trading and portfolio management company Coinigy revealed last week that it had been informed by Zendesk about a cybersecurity incident

According to the email received by Coinigy, Zendesk learned on October 25, 2022, that several employees were targeted in a “sophisticated SMS phishing campaign”. Some employees took the bait and handed over their account credentials to the attackers, allowing them to access unstructured data from a logging platform between September 25 and October 26, 2022.

Zendesk told Coinigy that, as part of its ongoing review, discovered on January 12, 2023, that service data belonging to the company’s account may have been in the logging platform data. Zendesk said there was no indication that Coinigy’s Zendesk instance had been accessed, but its investigation is still ongoing. 

Zendesk does not appear to have published any statement or notice related to this incident on its website and the company has not responded to SecurityWeek’s inquiry.

However, based on the available information, it’s possible that the attack on Zendesk is related to a campaign named 0ktapus, in which a threat actor that appears to be financially motivated targeted more than 130 organizations between March and August 2022, including major companies such as Twilio and Cloudflare. 

The 0ktapus attackers used SMS-based phishing messages to obtain employee credentials and victims included cryptocurrency companies. 

Twilio and Cloudflare discovered breaches in August, but there was no indication that the campaign was not ongoing, so it’s possible that the same hackers targeted Zendesk a few months later. 

While Coinigy appears to have been notified by Zendesk about the data breach only in January 2023, other victims appear to have been informed much sooner. 

The US-based cryptocurrency exchange Kraken informed customers about a Zendesk breach that involved phishing and unauthorized access to the Zendesk logging system back in November. Kraken said at the time that while accounts and funds were not at risk, the attackers did view the content of support tickets, which contained information such as name, email address, date of birth and phone number.

This is not the first data breach disclosed by Zendesk. In 2019, the company revealed that it had become aware of a security incident that hit roughly 10,000 accounts

Related: Zendesk Vulnerability Could Have Given Hackers Access to Customer Data

Related: Recently Disclosed Vulnerability Exploited to Hack Hundreds of SugarCRM Servers

The post Zendesk Hacked After Employees Fall for Phishing Attack appeared first on SecurityWeek.