LexisNexis confirms data breach as hackers leak stolen files
Source: Bleeping Computer
LexisNexis Legal & Professional, an American data analytics company, has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information. The breach confirmation follows a leak of 2 GB of files by a threat actor known as FulcrumSec on various underground forums and sites.
LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide.
Cloud breach via unpatched React app
The threat actor says that on February 24 they gained access to the company’s AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app.
LexisNexis L&P admitted that hackers breached its network, noting that the stolen information was old and consisted mostly of non‑critical details.
“Our investigation has confirmed that an unauthorized party accessed a limited number of servers,” the company told BleepingComputer.
“These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.”
“The impacted information did not contain Social Security numbers, driver’s license numbers, or any other sensitive personally identifiable information; credit card, bank accounts, or any other financial information; active passwords; or customer search queries, customer client or matter information, or customer contracts.”
Based on its investigation, LexisNexis believes the intrusion has been contained and found no evidence that products or services were impacted.
In a public post detailing the hack, FulcrumSec claims they stole information related to more than 100 users with .gov email addresses, including U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff.
Exfiltrated data
FulcrumSec states they “exfiltrated 2.04 GB of structured data from LexisNexis AWS infrastructure” via a vulnerable React container with access to:
- 536 Redshift tables
- 430+ VPC database tables
- 53 AWS Secrets Manager secrets in plaintext
- 3.9 M database records
- 21,042 customer accounts
- 5,582 attorney survey respondents
- 45 employee password hashes
- Complete VPC infrastructure mapping
They also say they had access to around 400,000 cloud user profiles that included real names, emails, phone numbers, and job functions. According to the hackers, 118 users had .gov addresses belonging to U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff.
FulcrumSec’s post for LexisNexis data leak – Source: BleepingComputer
FulcrumSec claimed they contacted LexisNexis, but the company “decided not to work with us on this.” They also criticized the company’s security practices that permitted a single ECS task role “read access to every secret in the account, including the production Redshift master credential.”
LexisNexis has notified law enforcement and contracted an external cybersecurity expert to assist with the investigation and implementation of containment measures. The company has taken responsibility for the breach and informed current and previous customers of the intrusion.
Last year, the company disclosed another breach after hackers compromised a corporate account and accessed sensitive information belonging to 364,000 customers.