A threat actor claimed to be selling a database containing 6.5 million user records from Investing.com, a popular financial news and market analysis platform. The compromised data reportedly includes user IDs, registration timestamps, email addresses, platforms, and registration sources.
According to the hacker, the alleged breach was facilitated by an Insecure Direct Object Reference (IDOR) vulnerability, a flaw that allows unauthorised access to database records by manipulating object identifiers. This could indicate a serious security lapse in Investing.com’s user data protection mechanism if confirmed.
The hacker claims that the database contains user information from 2014, though most affected accounts belong to users who registered between 2024 and 2025.
The threat actor stated they sent 50 million requests to Investing.com’s system before the vulnerability was patched. The data is now being sold exclusively on breach forums, with a 500-line sample offered for verification by the hacker.
“Just around 1 week ago, I found an IODR vulnerability in Investing.com that reveal sensitive user information. After 50 million requests the IODR was patched but I had already gotten around 6,486,780 users,” the hacker wrote.
This was not the first time Investing.com has faced a data breach. In September 2024, a separate incident exposed 7,000 records of Indian investors, revealing sensitive banking security details, email addresses, and phone numbers.
Investing.com was founded in 2007 in Israel and has over 250 employees in Tel Aviv, Madrid, Milan, Tokyo, Mumbai, Seoul, and Shenzhen. The website covers global stock markets, commodities, indices, currencies, bonds, funds, and futures, among other financial instruments.
According to the website, it caters to about 46 million monthly users and is regarded as one of the top financial websites in the world.
Investing.com users should immediately change their passwords, watch for phishing emails, and report any incidents to relevant authorities.
In the News: Google Ads expose sensitive user data of US officials, patients
