LexisNexis has confirmed a data breach after hackers leaked data allegedly stolen from its systems, but the legal and risk solutions giant claims the impact is limited.
The hackers announced the intrusion on a cybercrime forum on Tuesday. Based on their statement, they attempted to extort LexisNexis but were unsuccessful.
Representatives of LexisNexis Legal & Professional said in a statement to SecurityWeek that while the attackers did gain access to some servers, the compromised systems mostly stored legacy and deprecated data from prior to 2020.
The company has confirmed that information such as customer names, user IDs, business contact details, the IPs of customer survey respondents, and support tickets was compromised.
“LexisNexis Legal & Professional has investigated a security matter and based on the investigation and testing we have done to date, we believe the matter is contained,” the company said. “We have no evidence of compromise of or impact to our products and services.”
It added, “The impacted information did not contain Social Security numbers, driver’s license numbers, or any other sensitive personally identifiable information; credit card, bank accounts, or any other financial information; active passwords; or customer search queries, customer client or matter information, or customer contracts.”
The hackers suggested that they exploited the React2Shell vulnerability and improperly secured AWS instances to access and exfiltrate more than 2GB of data. The cyberattack allegedly took place last week.
The threat actor claimed to have obtained millions of data records, including enterprise account data, employee credentials, software development secrets, and personal information on 400,000 people, including over 100 individuals with .gov email addresses. The compromised personal information includes names, phone numbers, email addresses, and job roles.
This is not the first data breach LexisNexis has suffered in recent years. LexisNexis Risk Solutions last year confirmed that a 2024 intrusion at a third party resulted in the information of more than 360,000 people being stolen.
*updated with additional information from LexisNexis
Related: Madison Square Garden Data Breach Confirmed Months After Hacker Attack
Related: 1.2 Million Affected by University of Hawaii Cancer Center Data Breach
Related: Canadian Tire Data Breach Impacts 38 Million Accounts
