Global legal and business information giant LexisNexis Legal & Professional has confirmed a significant data breach in which the threat actor FulcrumSec exfiltrated and partially leaked roughly 2GB of sensitive files. The intrusion, which the company says occurred on February 24th, exposed customer records, internal secrets, and the cloud profiles of hundreds of thousands of users, including more than 100 accounts tied to .gov email addresses belonging to federal judges, Department of Justice attorneys, SEC staff, and law clerks. LexisNexis has taken responsibility, notified law enforcement, and engaged external cybersecurity experts.
What Happened
LexisNexis L&P, a trusted provider of legal, regulatory, and business intelligence to professionals worldwide, fell victim to a targeted cyberattack against its AWS-hosted infrastructure. According to FulcrumSec, the actor reached out to the company before going public but was rebuffed. The group subsequently leaked a portion of the stolen data and published a sharp critique of LexisNexis's cloud security posture.
The company has acknowledged the breach publicly. It states that the stolen data was mostly outdated, but conceded that the trove still contained valuable, actionable information. LexisNexis maintains that the incident has been contained and that it has found no evidence of impact on its products or services. Current and former customers have been notified.
What Was Taken
FulcrumSec claims to have exfiltrated 2.04 GB of structured data. The haul, as described by the actor, includes:
- Access to 536 Redshift tables and over 430 VPC database tables
- 53 AWS Secrets Manager secrets in plaintext
- 3.9 million database records
- 21,042 customer accounts
- 5,582 attorney survey responses
- 45 employee password hashes
- A complete map of the VPC infrastructure
- Approximately 400,000 cloud user profiles with real names, emails, phone numbers, and job titles
The exposed fields span customer names, user IDs, business contacts, product usage details, survey responses paired with IP addresses, and support tickets. Even outdated, this is precisely the kind of identity and contact data that fuels targeted phishing and social engineering, made far more dangerous by the presence of government and judicial personnel in the dataset.
Why It Matters
The sensitivity here is not measured in gigabytes but in who is in the data. A breach that surfaces the names, emails, phone numbers, and job titles of federal judges, DOJ attorneys, and SEC staff hands adversaries a ready-made targeting list for spear phishing, impersonation, and influence operations against the U.S. legal system. Attorney survey responses and support tickets add behavioral and operational context that sharpens those attacks.
For defenders, this incident is a reminder that vendors holding professional and government identity data are high-value targets whose compromise cascades downstream to their entire customer base. The leaked plaintext secrets and infrastructure map also raise the prospect of follow-on intrusion if any credentials remain valid.
The Attack Technique
FulcrumSec says it gained initial access by exploiting an unpatched vulnerability in a React frontend application, a flaw the actor dubbed React2Shell. That foothold allowed the group to pivot into the LexisNexis AWS environment.
The most damaging detail is an architecture failure, not just a bug. FulcrumSec highlighted that a single ECS task role held unrestricted access to every secret in the account, including the production Redshift master credential. That over-permissioned role is what turned a frontend exploit into the wholesale exposure of 53 plaintext secrets, hundreds of database tables, and millions of records. It is a textbook example of how weak identity scoping converts a contained web flaw into a full cloud compromise.
What Organizations Should Do
- Enforce least-privilege IAM and scope ECS, Lambda, and EC2 task roles tightly so no single role can read all secrets in an account. Segment access to production database master credentials.
- Stop storing secrets in plaintext where avoidable. Use short-lived, dynamically issued credentials, rotate aggressively, and assume the 53 leaked secrets are burned until proven otherwise.
- Patch and inventory frontend and web application dependencies. Treat client-facing React and JavaScript apps as part of the attack surface, not just the backend.
- Monitor for anomalous Redshift, VPC, and Secrets Manager access, and alert on a single principal enumerating large numbers of tables or secrets.
- Establish a vulnerability disclosure and intake process so researcher or actor outreach is triaged quickly rather than rebuffed, buying time before public leaks.
- Notify and protect downstream users, especially high-risk government and legal personnel, with breach guidance, phishing warnings, and credential resets.
Sources: LexisNexis Data Breach: Hackers Leak 2GB of Files | Cybersecurity News (2026)
TWEET: LexisNexis breached by FulcrumSec via a React app flaw. 2GB leaked: 3.9M records, plaintext AWS secrets, and 100+ .gov accounts incl. federal judges & DOJ. Full breakdown: https://wasteland.me/intel/lexisnexis-data-breach #CyberSecurity #ThreatIntel