A easy unpatched bug has led to a serious breach, exposing hundreds of thousands of LexisNexis data.
In line with BleepingComputer, a latest breach on LexisNexis gave hackers entry to just about 4 million database data, hundreds of accounts, password hashes, and cloud data. The corporate admitted the hackers gained entry by exploiting an unpatched React vulnerability in its techniques.
The corporate, which gives authorized and information analytics companies to authorities and company organizations in additional than 150 nations, noticed greater than 2 gigabytes of stolen information dumped on a number of darkish internet platforms by FulcrumSec, a hacker group.
From an unpatched vulnerability to an information breach
In line with Automox, 60% of information breaches are tied to unpatched vulnerabilities. Whereas others have barely totally different statistics, the sign is evident: unpatched system flaws have been a straightforward approach in for hackers. And LexisNexis is one more quantity within the broader stats.
BleepingComputer reported that the hackers exploited a months-old vulnerability in React2Shell. The flaw enabled them to entry AWS containers containing buyer info. The hackers famous that the corporate, which additionally gives safety companies, had insecure AWS infrastructure, permitting them to achieve quick access to information saved in its cloud account.
Though the vulnerability turned public in 2025, and a patch was already accessible, the corporate continued operating a React utility on the weak model.
In a publish on the darkish internet, the hackers mentioned their makes an attempt to contact LexisNexis in regards to the subject have been unsuccessful as the corporate declined to work with them.
Uncovered information, as cited by BleepingComputer, contains:
- 536 Redshift tables
- 430+ VPC database tables
- 53 AWS Secrets and techniques Supervisor secrets and techniques in plaintext
- 3.9M database data
- 21,042 buyer accounts
- 5,582 lawyer survey respondents
- 45 worker password hashes
- Full VPC infrastructure mapping
What we all know from the corporate
Admitting to the breach, the corporate introduced that the impact was minimal. Talking to BleepingComputer, a spokesperson for the corporate mentioned:
“Our investigation has confirmed that an unauthorized get together accessed a restricted variety of servers.” Confirming the scope and severity of the breach, the spokesperson additionally famous:
“These servers contained principally legacy, deprecated information from previous to 2020, together with info resembling buyer names, consumer IDs, enterprise contact info, merchandise used, buyer surveys with respondent IP addresses, and help tickets.”
LexisNexis additionally mentioned, “The impacted info didn’t comprise Social Safety numbers, driver’s license numbers, or some other delicate personally identifiable info; bank card, financial institution accounts, or some other monetary info; energetic passwords; or buyer search queries, buyer shopper or matter info, or buyer contracts.”
Up to now, the corporate has contacted affected clients of the incident. LexisNexis additionally claimed it has knowledgeable regulation enforcement companies in regards to the breach. Moreover, it contacted an exterior cybersecurity firm to research and comprise the incident. The corporate additionally claimed the incident didn’t have an effect on its enterprise continuity.
What this breach reveals
The assault on LexisNexis reveals that almost all profitable cyberattacks are sometimes not new methods. As a substitute, they occur as a result of primary failures to put in essential software program updates or configure stable infrastructure.
With information tied to hundreds of presidency and Division of Justice staff uncovered, the breach marks a notable hit on the authorized sector via a weak level in a typical provide chain. As with most incidents of this type, affected clients are anticipated to obtain steerage on steps they need to take to guard their information.
Additionally learn: Microsoft’s February Patch Tuesday fixes six zero-days underneath assault.
