Cyber: Lexisnexis Confirms Data Breach As Hackers Leak Stolen Files

American data analytics company LexisNexis Legal & Professional has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information.

The company's data breach confirmation comes as a threat actor named FulcrumSec leaked 2GB of files on various underground forums and sites.

LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide.

The threat actor says that on February 24 they gained access to the company's AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app.

LexisNexis L&P admitted that hackers breached its network, noting that the stolen information was old and consisted mostly of non-critical details.

“Our investigation has confirmed that an unauthorized party accessed a limited number of servers,” the company told BleepingComputer.

“These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets,” a spokesperson said.

“The impacted information did not contain Social Security numbers, driver’s license numbers, or any other sensitive personally identifiable information; credit card, bank accounts, or any other financial information; active passwords; or customer search queries, customer client or matter information, or customer contracts.”

Based on its investigation, LexisNexis believes that the intrusion has been contained and found no evidence that products or services were impacted by the intrusion.

In a public post detailing the hack, FulcrumSec claims that they stole information related to more than 100 users with .gov email addresses, which included U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff.

Source: BleepingComputer