A major data breach has rocked LexisNexis Legal & Professional, with hackers reportedly exfiltrating gigabytes of sensitive customer and business information! This news comes as a stark reminder of the ever-present threats in our digital world. LexisNexis, a giant in providing legal, regulatory, and business information to professionals and institutions across over 150 countries, has confirmed that its servers were indeed compromised.
The breach, attributed to a threat actor known as FulcrumSec, involved the theft of approximately 2GB of files. These files were subsequently leaked across various underground online forums. The company, while confirming the intrusion, has stated that the accessed data was largely legacy information from before 2020 and primarily comprised non-critical details. This included items like customer names, user IDs, business contact details, information on products used, customer surveys (which interestingly contained respondent IP addresses), and support tickets.
But here's where it gets a bit more concerning for some: LexisNexis has explicitly stated that the stolen information did NOT include highly sensitive personal identifiers such as Social Security numbers, driver's license numbers, or any other sensitive personally identifiable information. Furthermore, financial data like credit card numbers, bank account details, or active passwords were also reportedly untouched. Customer search queries, client or matter details, and customer contracts were also said to be safe.
And this is the part most people miss: The hackers claim to have gained access by exploiting a vulnerability called React2Shell in an unpatched React frontend application. This allowed them to breach the company's AWS infrastructure on February 24th. FulcrumSec alleges they exfiltrated a significant amount of structured data, including access to 536 Redshift tables, over 430 VPC database tables, and 53 AWS Secrets Manager secrets in plaintext. They also claim to have accessed nearly 4 million database records, over 21,000 customer accounts, and details on 5,582 attorney survey respondents. Adding to the intrigue, they also reported obtaining 45 employee password hashes and a complete mapping of the VPC infrastructure.
The hackers also made a bold claim about the type of users affected: FulcrumSec stated they had access to approximately 400,000 cloud user profiles, containing real names, emails, phone numbers, and job functions. Of particular note, they highlighted that 118 users had '.gov' email addresses, indicating potential access to information related to U.S. government employees, federal judges, law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff. This raises significant questions about the security of government-related data held by private entities.
FulcrumSec has been quite vocal, criticizing LexisNexis's security practices. They claim to have contacted the company, but LexisNexis reportedly chose not to engage with them. The hackers pointed out that a single ECS task role had 'read access to every secret in the account, including the production Redshift master credential,' which they deemed a serious security oversight.
LexisNexis has taken proactive steps, notifying law enforcement and bringing in an external cybersecurity expert to aid in their investigation and implement containment strategies. They've also taken responsibility and informed both current and former customers about the incident. This isn't the first time LexisNexis has faced a data breach; they disclosed a similar incident last year affecting around 364,000 customers.
What do you think? Does the fact that the stolen data was mostly 'legacy' information make this breach less concerning, or does the potential access to government-related accounts and sensitive infrastructure details outweigh that? Let us know your thoughts in the comments below!
