LexisNexis Breach Exposes Government and Law Firm Data

LexisNexis Legal & Professional has confirmed that hackers breached its AWS infrastructure and leaked sensitive customer data, including records belonging to U.S. government employees, federal judges, and Department of Justice attorneys.

The threat actor FulcrumSec claimed responsibility for the attack, publishing 2GB of stolen files on underground forums. According to The Record, the leaked data contains millions of records spanning customer names, user IDs, business contact information, and IT support tickets.

How the Attack Unfolded

FulcrumSec gained access on February 24 by exploiting CVE-2025-55182, the critical React Server Components vulnerability known as React2Shell. The flaw, which carries a maximum CVSS score of 10.0, allows unauthenticated remote code execution through crafted POST requests to applications running React Server Components.

The vulnerability has become a favored initial access vector for threat actors since its disclosure in December 2025. We previously covered how the TeamPCP worm campaign exploited the same flaw to compromise over 60,000 cloud servers for cryptomining operations.

In this case, FulcrumSec targeted an unpatched React frontend application within LexisNexis's infrastructure, pivoting from there into AWS systems hosting customer databases.

What Data Was Stolen

The threat actor claims to have exfiltrated structured data affecting approximately 400,000 cloud user profiles. The leaked information includes:

• Real names, email addresses, phone numbers, and job functions
• Account records for government agencies and law firms
• More than 100 users with .gov email addresses
• Federal judges, law clerks, DOJ attorneys, and SEC staff records
• Passwords and IT incident tickets
• Customer surveys with respondent IP addresses

LexisNexis has characterized the stolen data as "mostly legacy, deprecated data from prior to 2020." The company emphasized that the breach did not expose Social Security numbers, financial data, or customer search activity.

"We believe the matter is contained," a LexisNexis Legal & Professional spokesperson stated. "We have no evidence of compromise of or impact to our products and services."

FulcrumSec: A Growing Threat

FulcrumSec, which operates under the alias "The Threat Thespians," first appeared around September 2025. The group specializes in high-speed data extraction targeting cloud-hosted databases and is motivated primarily by financial gain through extortion and data auctioning.

According to WatchGuard's threat tracking, the group has previously targeted organizations including electronics manufacturer Avnet. Their operational tempo has increased substantially in 2026, with multiple high-profile breaches claimed within weeks.

The group's willingness to leak data quickly—often within days of initial access—puts additional pressure on victims and suggests limited interest in negotiation.

This Is LexisNexis's Second Major Breach

This incident follows another data breach disclosed last year affecting 364,000 individuals. That December 2024 breach occurred when attackers compromised a corporate GitHub account, accessing data including names, contact information, Social Security numbers, and driver's license numbers.

The back-to-back incidents raise questions about the data broker's security posture. LexisNexis Risk Solutions and LexisNexis Legal & Professional operate as separate divisions, but the pattern of breaches affecting both suggests systemic vulnerabilities across the organization.

Data brokers have become attractive targets given the volume and sensitivity of information they aggregate. Recent breaches at similar firms—including the Odido breach affecting 6 million Dutch customers—demonstrate the scale of risk when these repositories are compromised.

Why This Matters

LexisNexis serves as a critical information provider for legal professionals, law enforcement, and government agencies. The exposure of federal employee data, including judges and DOJ attorneys, creates potential targeting information for sophisticated adversaries.

The inclusion of passwords in the leaked dataset compounds the risk. Even if LexisNexis systems are now secured, credential reuse could enable access to other platforms used by affected individuals.

Recommended Actions

Organizations and individuals potentially affected should take immediate steps:

1. Monitor for credential reuse - If you had a LexisNexis account pre-2020, change passwords on any other services sharing those credentials
2. Enable MFA everywhere - Multi-factor authentication limits damage from compromised passwords
3. Watch for targeted phishing - Government employees in the leak may face spearphishing attempts
4. Accept credit monitoring - LexisNexis is offering two years of free identity protection to affected individuals

For enterprises running React applications, this breach reinforces the urgency of patching CVE-2025-55182. According to AWS threat intelligence, multiple nation-state groups have been actively exploiting React2Shell since its disclosure, and opportunistic actors like FulcrumSec now add to that threat landscape.

LexisNexis has engaged external forensic investigators and notified law enforcement. The company is in the process of notifying affected customers directly.