LexisNexis has reported unauthorized access to its servers following the release of about 2 GB of stolen data by a cyber actor known as FulcrumSec.

In the wake of this disclosure, LexisNexis Legal & Professional acknowledged that an unauthorized entity breached a limited number of its servers. The incident occurred after a threat actor called FulcrumSec leaked around 2 GB of data across multiple underground forums. Despite these revelations, the company stated that the breach has been contained and found no indication that its products or services were compromised.

The breached servers primarily held outdated information from before 2020. The stolen data included customer names, user IDs, business contact details, products used, survey responses with associated IP addresses, and support tickets. A LexisNexis spokesperson assured that sensitive personal details such as Social Security numbers, driver’s licence numbers, financial account information, active passwords, search queries, contracts, or matter details were not included in the stolen files.

Unauthorized Access via Unpatched Application

The breach was reportedly initiated on February 24, 2025, when FulcrumSec exploited a vulnerability named React2Shell in an unpatched React application. The threat actor claimed access to over 536 Redshift tables and more than 430 VPC database tables, along with approximately 3.9 million records from various databases, spanning around 21.042 customer accounts, 5.582 attorney survey respondents, 45 employee password hashes, and a detailed map of the company’s Virtual Private Cloud (VPC) infrastructure.

Additionally, FulcrumSec reported gaining access to approximately 400,000 cloud user profiles containing real names, email addresses, phone numbers, and job functions. Among these were 118 users with .gov email addresses linked to U.S. government employees, federal judges, law clerks, attorneys from the Department of Justice, and staff members from the Securities and Exchange Commission.

The threat actor criticized LexisNexis’s security posture, highlighting that a single Elastic Container Service (ECS) task role had unrestricted access to all secrets within the account, including production database credentials. FulcrumSec mentioned attempting contact with LexisNexis prior to public disclosure but was rebuffed.

Response and Broader Context

LexisNexis has informed law enforcement and engaged an external cybersecurity firm for investigation and remediation efforts. The company also communicated with current and former customers about the breach.

This incident follows another security event in 2024 where a hacked corporate account led to sensitive data exposure for 364,000 users. LexisNexis Legal & Professional serves clients globally, providing legal, regulatory, and business information, research tools, and analytics across over 150 countries. The latest breach underscores concerns about legacy data storage and cloud access controls, especially given the nature of their user base.