LexisNexis
Legal
&
Professional
has
confirmed
that
hackers
breached
its
servers
and
accessed
customer
and
business
information,
after
a
threat
actor
calling
itself
FulcrumSec
publicly
posted
stolen
files
and
a
detailed
account
of
the
intrusion.
(This
story
was
updated
after
receiving
a
statement
from
LexisNexis.)
According
to
news
reports
from
BleepingComputer,
TechRadar,
and
others,
the
threat
actor
FulcrumSec
says
it
gained
initial
access
on
Feb.
24
by
exploiting
the
React2Shell
vulnerability
in
an
unpatched
React
frontend
application
—
a
flaw
the
company
had
reportedly
left
unaddressed
for
months.
The
group
then
leveraged
its
position
inside
a
React
container
that
had
been
granted
read
access
to
hundreds
of
Redshift
tables,
VPC
database
tables,
AWS
Secrets
Manager
secrets,
employee
password
hashes,
and
millions
of
database
records.
The
attackers
posted
a
lengthy
manifesto
on
March
3
and
a
link
to
more
than
3.9
million
internal
records
allegedly
exfiltrated
from
the
company’s
AWS
infrastructure,
including
plaintext
login
credentials
and
profile
data
tied
to
roughly
400,000
users,
news
reports
say.
Among
the
most
sensitive
claims,
FulcrumSec
says
it
obtained
information
related
to
more
than
100
users
with
.gov
email
addresses,
including
federal
judges
and
law
clerks,
U.S.
Department
of
Justice
attorneys,
and
SEC
staff.
In
a
statement,
LexisNexis
said:
“LexisNexis
Legal
&
Professional
has
investigated
a
security
matter
and
based
on
the
investigation
and
testing
we
have
done
to
date,
we
believe
the
matter
is
contained.
We
have
no
evidence
of
compromise
of
or
impact
to
our
products
and
services.
We
engaged
a
preeminent
cybersecurity
forensic
firm
to
assist
in
our
investigation
and
response
and
have
reported
this
issue
to
law
enforcement.
“Our
investigation
has
confirmed
that
an
unauthorized
party
accessed
a
limited
number
of
servers.
These
servers
contained
mostly
legacy,
deprecated
data
from
prior
to
2020,
including
information
such
as
customer
names,
user
IDs,
business
contact
information,
products
used,
customer
surveys
with
respondent
IP
addresses,
and
support
tickets.
“The
impacted
information
did
not
contain
Social
Security
numbers,
driver’s
license
numbers,
or
any
other
sensitive
personally
identifiable
information;
credit
card,
bank
accounts,
or
any
other
financial
information;
active
passwords;
or
customer
search
queries,
customer
client
or
matter
information,
or
customer
contracts.
“We
take
our
responsibility
to
safeguard
customer
information
extremely
seriously
and
have
informed
impacted
current
and
previous
customers
of
this
matter.
We
are
continuing
to
investigate
and
have
implemented
containment
and
remediation
steps,
in
coordination
with
our
expert
cybersecurity
forensic
firm.”
FulcrumSec
said
it
attempted
to
contact
LexisNexis
—
most
likely
seeking
a
ransom
—
but
the
company
“decided
not
to
work
with
us.”
The
hackers
were
derisive
about
what
they
characterized
as
lax
security
practices.
Among
other
things,
they
claimed
the
password
“Lexis1234”
had
been
reused
five
different
times,
and
mocked
the
company
in
their
post,
writing:
“The
company
that
indexes
the
world’s
legal
information
could
not
index
its
own
IAM
policies.”
This
is
not
LexisNexis’s
first
recent
security
incident.
In
a
separate
breach
disclosed
in
2025,
an
unauthorized
party
stole
personal
data,
including
Social
Security
numbers,
belonging
to
over
364,000
individuals
from
a
third-party
software
development
platform
used
by
LexisNexis
Risk
Solutions.
FulcrumSec
explicitly
stated
that
the
current
incident
is
unrelated
to
that
earlier
GitHub
breach.
The
company
said
it
has
notified
law
enforcement
and
engaged
an
external
forensics
firm.
Security
researchers
have
noted
that
the
combination
of
exposed
government
user
data
and
enterprise
credentials
could
fuel
phishing
and
social
engineering
attacks
long
after
the
initial
breach
is
contained.
Kathryn
