LexisNexis has confirmed unauthorised access to its servers following the leak of 2 GB of stolen data by a threat actor.
Following this announcement, LexisNexis Legal & Professional has confirmed that an unauthorised party accessed a limited number of its servers after a threat actor known as FulcrumSec leaked approximately 2 GB of files across several underground forums. The US-based data analytics and legal information company said the breach has since been contained and found no evidence that its products or services were affected.
According to the company, the compromised servers held mostly legacy data predating 2020. The accessed information included customer names, user IDs, business contact details, products used, customer surveys with respondent IP addresses, and support tickets. A company spokesperson confirmed that the stolen data did not include Social Security numbers, driver's licence numbers, financial account details, active passwords, or customer search queries, contracts, or matter information.
Cloud infrastructure accessed via unpatched application
According to the announcement, FulcrumSec claims to have gained access to LexisNexis's AWS infrastructure on 24 February 2025 by exploiting a vulnerability, identified as React2Shell, in an unpatched React frontend application. According to the threat actor's public disclosure, the breach enabled access to 536 Redshift tables, more than 430 VPC database tables, 53 AWS Secrets Manager secrets stored in plaintext, approximately 3.9 million database records, 21.042 customer accounts, 5.582 attorney survey respondents, 45 employee password hashes, and a complete mapping of the company's VPC infrastructure.
FulcrumSec also claimed access to around 400.000 cloud user profiles containing real names, email addresses, phone numbers, and job functions. Of those, 118 users reportedly held .gov email addresses associated with US government employees, federal judges and law clerks, attorneys from the US Department of Justice, and staff from the US Securities and Exchange Commission.
The threat actor additionally criticised the company's security configuration, stating that a single ECS task role had been granted read access to all secrets within the account, including production database credentials. FulcrumSec indicated it had attempted to contact LexisNexis prior to the public disclosure but that the company declined to engage.
Response and broader context
LexisNexis has notified law enforcement authorities and engaged an external cybersecurity firm to support its investigation and implement containment measures. The company has also informed both current and former customers of the breach.
The incident is not the first security event to affect the company in recent years. In 2024, LexisNexis disclosed a separate breach in which a compromised corporate account was used to access sensitive information belonging to 364.000 customers.
LexisNexis Legal & Professional operates globally, providing legal, regulatory, and business information, research tools, and analytics to lawyers, corporations, governments, and academic institutions across more than 150 countries. The latest breach raises questions about legacy data retention practices and cloud infrastructure access controls, particularly given the sensitivity of the user base affected and the scope of internal systems reportedly exposed.
