LexisNexis, a massive American data analytics firm, has confirmed a major data breach after the compromised information was dumped on the darknet. Although the hackers managed to obtain only 2GB of data, the stolen information is pretty sensitive, primarily consisting of user details, with some linked to government entities. This breach follows a class action lawsuit filed in 2024 over a previous breach and the mishandling of client data.
About LexisNexis
Being a data analytics firm, LexisNexis provides a huge amount of information, mainly focused on law, regulations, and business. Founded in 1973, LexisNexis has been providing companies access to court cases, laws and all sorts of public records. Their tools are used by lawyers, businesses, and government workers.
Gaining Access
FulcrumSec gained access by exploiting an unpatched vulnerability in React2shell, a flaw that had been publicly known for months without a fix. After leveraging this exploit, the attacker moved on to compromise AWS's Elastic Container Service (ECS), specifically targeting the LawfirmsStoreECSTask role. This breach granted the attacker permissions to access sensitive data, ultimately leading to the compromise.
In his breachforums data dump, FulcrumSec mocked LexisNexis for using the password "Lexis1234" for their relational database services. He also highlighted the company's negligent approach to cybersecurity, especially in the wake of their class action lawsuit concerning data mishandling.
Critical Data Dump
News of the breach first made headlines yesterday, after dark web monitors discovered that a hacker, known as FulcrumSec, had dumped the entire trove of data on a hacking forum. Despite the breach involving only 2GB of data, it contains millions of text-based records. These records include critical database tables, roughly 400,000 cloud user profiles with personal information such as names, emails, phone numbers, and job functions, among other sensitive data. Over 100 of the leaked accounts belong to government employees, impacting federal judges, high-profile DOJ attorneys, SEC staff, and more.
A significant amount of other critical data has also been leaked, including manager secrets extracted from AWS in plaintext, as well as employee passwords for backend infrastructure. Customer support tickets and other communication logs were also exposed.
This breach is substantial and could trigger a domino effect of further critical breaches if not mitigated swiftly. All affected corporations and clients must immediately change any impacted logins to minimize the potential damage.
LexisNexis Responds
The company has acknowledged the breach, confirming its authenticity. In their response, LexisNexis stated that the attackers primarily accessed "mostly legacy" servers, which contained data from before 2020. The company further confirmed that the exposed data includes customer user IDs, business information, products used, IP addresses, and support tickets.
Conclusion
This is one of the rarer breaches where the attacker did not appear to attempt any extortion against the company or sell the stolen data online. Instead, the hacker simply dumped the data for free and called out LexisNexis, specifically criticizing their pattern of negligence in securing such systems. The company's response also seemed to downplay the situation, offering minimal acknowledgment of the severity of the breach.
0 Comments