LexisNexis confirms cloud breach after hacker posts 2.04 GB of files

LexisNexis Legal & Professional confirmed that an unauthorized actor accessed a limited number of legacy servers after a threat actor calling itself FulcrumSec posted roughly 2.04 GB of files online, including claims of more than 3.9 million internal records and 118 .gov email addresses tied to judges and government attorneys. The company said the exposed material was largely deprecated and that it has engaged law enforcement and external forensic investigators.

FulcrumSec posted a detailed account and a manifesto, saying it initially gained entry on February 24 by exploiting an unpatched React frontend vulnerability known as React2Shell. The group alleges it then compromised an Amazon Web Services Elastic Container Service task role named LawfirmsStoreECSTaskRole that carried broad read permissions, allowing lateral movement into production systems. The actor claims access to a Redshift data warehouse, multiple virtual private cloud databases and tables, AWS Secrets Manager entries in plaintext, and a Qualtrics survey instance.

The attacker supplied specific counts it said were exfiltrated: 536 Redshift tables, more than 430 VPC database tables across 17 VPC databases, 53 Secrets Manager secrets in plaintext, about 3.9 million database records, roughly 400,000 cloud user profiles containing names and contact details, 21,042 customer accounts, 5,582 attorney survey respondents, and 45 employee password hashes. FulcrumSec also posted samples and links to data on underground forums and said it attempted to extort the company.

LexisNexis framed the incident differently. “Our investigation has confirmed that an unauthorized party accessed a limited number of servers,” the company said. “These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.” The company added, “LexisNexis Legal & Professional has investigated a security matter and based on the investigation and testing we have done to date, we believe the matter is contained,” and said, “We have no evidence of compromise of or impact to our products and services.”

Those competing characterizations leave significant questions unanswered. LexisNexis has not publicly confirmed the full inventory of artifacts the threat actor listed, and independent forensic findings have not been released. Security researchers warn that even if the data were primarily legacy, the combination of exposed government email addresses and enterprise credentials could fuel targeted phishing and social engineering attacks long after initial access is contained.

FulcrumSec’s narrative also points to classic cloud weaknesses: an unpatched frontend, over-privileged IAM roles attached to ECS tasks, plaintext secrets storage and weak credentials. The attacker mocked an alleged weak RDS master password, and said the compromised role allowed mapping of complete VPC infrastructure. Best-practice mitigation in such scenarios typically includes enforcing least-privilege access, rotating secrets, applying timely patches, auditing CloudTrail and ECS activity, and enabling multi-factor authentication.

The incident arrives amid recent third-party supply chain turmoil for parts of the RELX ecosystem; a prior breach tied to a code repository exposed personal data for hundreds of thousands of people. FulcrumSec said the current intrusion is unrelated.

LexisNexis has notified law enforcement and hired an external forensics firm. Investigators face urgent follow-up questions: which specific servers were accessed, whether any secrets remain active, whether affected government or judicial accounts will be notified, and whether forensic analysis will corroborate the scope FulcrumSec claims. In the coming days security teams and customers should monitor for credential misuse and phishing that could stem from the leaked material.