Hacker posts 2.04GB of LexisNexis L&P files after claimed cloud intrusion

A hacker using the handle FulcrumSec posted roughly 2.04 gigabytes of files to underground forums on March 3, 2026, and claimed it gained initial access to LexisNexis Legal & Professional’s cloud environment on Feb. 24 by exploiting a vulnerability it called "React2Shell" in an unpatched React frontend application. The attacker posted a detailed list of contents that, if accurate, would include millions of records and sensitive infrastructure data; LexisNexis L&P confirmed a data-security incident but said the accessed material was limited and largely outdated.

FulcrumSec asserted the exfiltrated set contained 3.9 million database records, 21,042 customer accounts, about 400,000 cloud user profiles with names, emails and phone numbers, and 118 addresses with .gov domains purportedly tied to federal judges, law clerks, U.S. Department of Justice attorneys and U.S. SEC staff. The attacker also claimed to have copied 536 Redshift tables, more than 430 VPC database tables, 53 AWS Secrets Manager secrets in plaintext, 45 employee password hashes and a complete mapping of VPC infrastructure. Those technical and numeric claims have not been independently verified.

LexisNexis L&P acknowledged the breach and offered a narrow characterization of what was accessed. "Our investigation has confirmed that an unauthorized party accessed a limited number of servers," the company said. The company added that the servers "contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets."

The company stressed containment and ongoing response. "LexisNexis Legal & Professional has investigated a security matter and based on the investigation and testing we have done to date, we believe the matter is contained. We have no evidence of compromise of or impact to our products and services." LexisNexis also said it had "engaged a preeminent cybersecurity forensic firm to assist in our investigation and response and have reported this issue to law enforcement."

The gap between the attacker’s detailed claims and the company’s assessment underscores uncertainty for clients and affected individuals. FulcrumSec’s post included technical assertions about plaintext secrets and infrastructure mapping that, if true, would increase risks of follow‑on intrusions or targeted account takeover. LexisNexis L&P did not confirm the attacker’s itemized counts in its public statements.

LexisNexis Legal & Professional is a major provider of research and analytics to law firms, corporations, governments and academic institutions, with a global footprint that spans about 150 countries and a business unit employing and serving nearly 12,000 people and organizations. The company’s Legal & Professional unit is separate from LexisNexis Risk Solutions, which experienced its own, distinct incident last year affecting roughly 360,000 people.

For now, the immediate facts are the hacker’s forum post, the attacker’s claim of a Feb. 24 intrusion via a front‑end vulnerability, and LexisNexis L&P’s statement that the issue is contained and under forensic review. The company has notified authorities and engaged external investigators as it works to reconcile the attacker’s technical assertions with its own findings.