LexisNexis confirms data breach as hackers leak stolen information

American knowledge analytics firm LexisNexis Authorized & Skilled has confirmed to BleepingComputer that hackers breached its servers and accessed some buyer and enterprise data.

The corporate’s data breach affirmation comes as a risk actor named FulcrumSec leaked 2GB of information on numerous underground boards and websites.

LexisNexis L&P is a worldwide supplier of authorized, regulatory, and enterprise data, analysis instruments, and analytics utilized by attorneys, firms, governments, and tutorial establishments in additional than 150 nations worldwide.

Cloud breach through unpatched React app

The risk actor says that on February 24 they gained entry to the corporate’s AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app.

LexisNexis L&P admitted that hackers breached its community, noting that the stolen data was previous and consisted principally of non-critical particulars.

“Our investigation has confirmed that an unauthorized get together accessed a restricted variety of servers,” the corporate informed BleepingComputer.

“These servers contained principally legacy, deprecated knowledge from previous to 2020, together with data reminiscent of buyer names, person IDs, enterprise contact data, merchandise used, buyer surveys with respondent IP addresses, and assist tickets,” a spokesperson mentioned.

“The impacted data didn’t comprise Social Safety numbers, driver’s license numbers, or every other delicate personally identifiable data; bank card, financial institution accounts, or every other monetary data; lively passwords; or buyer search queries, buyer consumer or matter data, or buyer contracts.”

Primarily based on its investigation, LexisNexis believes that the intrusion has been contained and located no proof that services or products had been impacted by the intrusion.

In a public publish detailing the hack, FulcrumSec claims that they stole data associated to greater than 100 customers with .gov e mail addresses, which included U.S. authorities staff, federal judges and legislation clerks, U.S. Division of Justice attorneys, and U.S. SEC employees.

The risk actor detailed the intrusion, saying that they “exfiltrated 2.04 GB of structured knowledge from LexisNexis AWS infrastructure” through a susceptible React container with entry to:

• 536 Redshift tables
• 430+ VPC database tables
• 53 AWS Secrets and techniques Supervisor secrets and techniques in plaintext
• 3.9M database data
• 21,042 buyer accounts
• 5,582 lawyer survey respondents
• 45 worker password hashes
• Full VPC infrastructure mapping

FulcrumSec mentioned that in addition they had entry to round 400,000 cloud person profiles that included actual names, emails, telephone numbers, and job capabilities. In line with the hackers, 118 customers had .gov addresses belonging to U.S. authorities staff, federal judges and legislation clerks, U.S. Division of Justice attorneys, and U.S. SEC employees.

FulcrumSec mentioned that they contacted LexisNexis, however the firm “determined to not work with us on this.” In addition they criticized the corporate’s security practices that permitted a single ECS process function “learn entry to each secret within the account, together with the manufacturing Redshift grasp credential.”

LexisNexis has notified legislation enforcement and contracted an exterior cybersecurity professional to help with the investigation and implementation of containment measures.

The corporate has taken accountability for the breach and knowledgeable present and former clients of the intrusion.

Final 12 months, the corporate disclosed one other breach after hackers compromised a company account and accessed delicate data belonging to 364,000 clients.