LexisNexis Confirms Data Breach As Hackers Leak Stolen Files

LexisNexis Legal & Professional has confirmed a new data breach after a threat actor leaked roughly 2 GB of stolen files from its cloud environment, describing the exposed information as “legacy” and mostly non‑sensitive customer and business data.

What happened

• An extortion group using the name FulcrumSec claims it breached LexisNexis Legal & Professional’s AWS infrastructure on February 24, 2026 and exfiltrated about 2.04 GB of structured data.

• The group says it gained access by exploiting a “React2Shell” vulnerability in an unpatched React frontend application, which gave it broad access to cloud resources.

• FulcrumSec has posted the stolen data on underground forums after failing to secure payment or engagement from the company.

What data was accessed

• LexisNexis says a “limited number of servers” were affected and that they mainly contained pre‑2020 “legacy, deprecated” data.

• According to the company, the data includes customer names, user IDs, business contact information, product usage information, customer surveys (with respondent IP addresses), and support tickets.​

• LexisNexis states the breach did not involve Social Security numbers, driver’s license numbers, financial account data, active passwords, customer search queries, client/matter data, or contracts.

• FulcrumSec, however, claims the dump touches:

  • 536 Redshift tables and 430+ other database tables

  • 53 AWS Secrets Manager secrets in plaintext

  • 3.9 million database records, 21,042 customer accounts, and about 400,000 cloud user profiles with names, emails, phone numbers, and job functions.

• The attackers say at least 100+ accounts have .gov addresses, including U.S. government employees, federal judges and law clerks, DOJ attorneys, and SEC staff.

Company response and status

• LexisNexis says it has contained the intrusion, sees no evidence that current products or services were impacted, and has notified law enforcement and hired external cybersecurity experts.

• The firm reports that it has begun notifying current and former customers whose information may have been in the affected legacy systems.

• This incident is separate from the 2024 Christmas‑day LexisNexis Risk Solutions breach (via a third‑party GitHub environment) that exposed sensitive personal data, including SSNs and driver’s license numbers, for roughly 360,000+ individuals.

Practical implications and what to watch

For now, the company’s official position is that sensitive PII and live credentials were not compromised, but the attackers’ claims suggest potentially broader cloud exposure (secrets, infra mapping, and high‑value government accounts). From a risk and regulatory perspective, monitoring will focus on:

• Whether regulators treat this as a reportable breach for particular customer segments, especially government users.

• Any evidence that exfiltrated secrets or infra mapping are reused in follow‑on attacks, including on LexisNexis customers.

• Additional technical detail from LexisNexis or incident responders about the React2Shell exploitation path and cloud‑role scoping issues the threat actor criticized.