Robert Ambrogi Blog
LexisNexis Legal & Professional has confirmed that hackers breached its servers and accessed customer and business information, after a threat actor calling itself FulcrumSec publicly posted stolen files and a detailed account of the intrusion.
(This story was updated after receiving a statement from LexisNexis.)
According to news reports from BleepingComputer, TechRadar, and others, the threat actor FulcrumSec says it gained initial access on Feb. 24 by exploiting the React2Shell vulnerability in an unpatched React frontend application — a flaw the company had reportedly left unaddressed for months. The group then leveraged its position inside a React container that had been granted read access to hundreds of Redshift tables, VPC database tables, AWS Secrets Manager secrets, employee password hashes, and millions of database records.
The attackers posted a lengthy manifesto on March 3 and a link to more than 3.9 million internal records allegedly exfiltrated from the company’s AWS infrastructure, including plaintext login credentials and profile data tied to roughly 400,000 users, news reports say.
Among the most sensitive claims, FulcrumSec says it obtained information related to more than 100 users with .gov email addresses, including federal judges and law clerks, U.S. Department of Justice attorneys, and SEC staff.
In a statement, LexisNexis said:
“LexisNexis Legal & Professional has investigated a security matter and based on the investigation and testing we have done to date, we believe the matter is contained. We have no evidence of compromise of or impact to our products and services. We engaged a preeminent cybersecurity forensic firm to assist in our investigation and response and have reported this issue to law enforcement.
“Our investigation has confirmed that an unauthorized party accessed a limited number of servers. These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.
“The impacted information did not contain Social Security numbers, driver’s license numbers, or any other sensitive personally identifiable information; credit card, bank accounts, or any other financial information; active passwords; or customer search queries, customer client or matter information, or customer contracts.
“We take our responsibility to safeguard customer information extremely seriously and have informed impacted current and previous customers of this matter. We are continuing to investigate and have implemented containment and remediation steps, in coordination with our expert cybersecurity forensic firm.”
FulcrumSec said it attempted to contact LexisNexis — most likely seeking a ransom — but the company “decided not to work with us.” The hackers were derisive about what they characterized as lax security practices. Among other things, they claimed the password “Lexis1234” had been reused five different times, and mocked the company in their post, writing: “The company that indexes the world’s legal information could not index its own IAM policies.”
This is not LexisNexis’s first recent security incident. In a separate breach disclosed in 2025, an unauthorized party stole personal data, including Social Security numbers, belonging to over 364,000 individuals from a third-party software development platform used by LexisNexis Risk Solutions. FulcrumSec explicitly stated that the current incident is unrelated to that earlier GitHub breach.
The company said it has notified law enforcement and engaged an external forensics firm. Security researchers have noted that the combination of exposed government user data and enterprise credentials could fuel phishing and social engineering attacks long after the initial breach is contained.