LexisNexis confirms data breach as hackers leak stolen files

Summary

LexisNexis Legal & Professional confirmed that threat actors breached its servers and accessed customer and business information after attackers leaked approximately 2GB of stolen data on underground forums.

The breach reportedly involved unauthorized access to several internal servers containing legacy and deprecated data, primarily from before 2020.

Research Source

According to BleepingComputer, the breach was disclosed after a threat actor named FulcrumSec publicly released stolen data online and detailed the intrusion.

LexisNexis confirmed that an unauthorized party accessed a limited number of servers, though the company stated the exposed information mainly involved non-critical legacy data.

Technical Details

The threat actor claims the breach occurred on February 24, 2026 through exploitation of the React2Shell vulnerability in an unpatched React frontend application.

The attacker reportedly gained access to the company’s AWS cloud infrastructure, allowing them to exfiltrate internal datasets.

The attacker claimed access to:

• 536 Amazon Redshift tables
• 430+ VPC database tables
• 53 AWS Secrets Manager secrets in plaintext
• 3.9 million database records
• 21,042 customer accounts
• 5,582 attorney survey respondents
• 45 employee password hashes

The attacker also reported having visibility into complete VPC infrastructure mapping and access to approximately 400,000 cloud user profiles containing names, emails, phone numbers, and job roles.

Observed Attack Activity

Threat Actor
• FulcrumSec

Initial Access
• Exploitation of React2Shell vulnerability in an unpatched React application

Cloud Environment Compromise
• Access to AWS infrastructure and containers

Data Exfiltration
• 2.04GB of structured data stolen from internal systems

Sensitive Infrastructure Exposure
• AWS Secrets Manager secrets
• Redshift database credentials
• VPC architecture mapping

Potentially Impacted Accounts
• Over 100 accounts with .gov email addresses, including:
U.S. government employees
Federal judges and law clerks
U.S. Department of Justice attorneys
U.S. SEC staff

Impact

The breach could expose organizations to multiple risks including:

• Exposure of internal company and customer information
• Potential misuse of leaked credentials or password hashes
• Intelligence gathering on internal infrastructure
• Increased risk of targeted phishing or social engineering

LexisNexis stated that the exposed data did not include:

• Social Security numbers
• Driver’s license numbers
• Financial information
• Active passwords
• Customer contracts or legal case data

The company also stated that products and services were not impacted.

Mitigation

LexisNexis has taken the following actions:

• Contained the intrusion
• Notified law enforcement authorities
• Engaged external cybersecurity experts to assist with investigation
• Notified current and former customers

Recommended security practices for organizations include:

• Patch vulnerable web applications and dependencies
• Implement strict IAM controls in cloud environments
• Restrict access to secrets and infrastructure credentials
• Monitor cloud logs for suspicious activity
• Rotate potentially exposed credentials

References
• https://www.bleepingcomputer.com/news/security/lexisnexis-confirms-data-breach-as-hackers-leak-stolen-files/