American data analytics company LexisNexis Legal & Professional has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information.

The company's data breach confirmation comes as a threat actor named FulcrumSec leaked 2GB of files on various underground forums and sites.

LexisNexis L&P is a global provider of legal, regulatory, and business information, research tools, and analytics used by lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide.

Cloud breach via unpatched React app

The threat actor says that on February 24 they gained access to the company's AWS infrastructure by exploiting the React2Shell vulnerability in an unpatched React frontend app.

LexisNexis L&P admitted that hackers breached its network, noting that the stolen information was old and consisted mostly of non-critical details.

“Our investigation has confirmed that an unauthorized party accessed a limited number of servers,” the company told BleepingComputer.

“These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets,” a spokesperson said.

“The impacted information did not contain Social Security numbers, driver’s license numbers, or any other sensitive personally identifiable information; credit card, bank accounts, or any other financial information; active passwords; or customer search queries, customer client or matter information, or customer contracts.”

Based on its investigation, LexisNexis believes that the intrusion has been contained and found no evidence that products or services were impacted by the intrusion.

In a public post detailing the hack, FulcrumSec claims that they stole information related to more than 100 users with .gov email addresses, which included U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff.

The threat actor detailed the intrusion, saying that they "exfiltrated 2.04 GB of structured data from LexisNexis AWS infrastructure" via a vulnerable React container with access to:

• 536 Redshift tables
• 430+ VPC database tables
• 53 AWS Secrets Manager secrets in plaintext
• 3.9M database records
• 21,042 customer accounts
• 5,582 attorney survey respondents
• 45 employee password hashes
• Complete VPC infrastructure mapping

FulcrumSec said that they also had access to around 400,000 cloud user profiles that included real names, emails, phone numbers, and job functions. According to the hackers, 118 users had .gov addresses belonging to U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff.

FulcrumSec said that they contacted LexisNexis, but the company "decided not to work with us on this." They also criticized the company’s security practices that permitted a single ECS task role "read access to every secret in the account, including the production Redshift master credential."

LexisNexis has notified law enforcement and contracted an external cybersecurity expert to assist with the investigation and implementation of containment measures.

The company has taken responsibility for the breach and informed current and previous customers of the intrusion.

Last year, the company disclosed another breach after hackers compromised a corporate account and accessed sensitive information belonging to 364,000 customers.