What caused the LexisNexis data breach?

The breach was caused by the exploitation of a vulnerability known as React2Shell in an unpatched React frontend application, which allowed access to the company's AWS infrastructure.

What information did the threat actor FulcrumSec claim to steal?

The threat actor claims to have stolen 2.04 GB of data, including 3.9 million database records, 400,000 user profiles, 21,042 customer accounts, and 53 AWS Secrets Manager secrets.

Were Social Security numbers or financial details exposed?

LexisNexis stated that the impacted information did not contain Social Security numbers, driver's license numbers, financial information, or active passwords.

Who are the high-profile users affected by the breach?

The breach reportedly exposed over 100 users with .gov email addresses, including U.S. Department of Justice attorneys, SEC staff, and federal judges.

Incident

LexisNexis Confirms AWS Cloud Breach Caused by React Vulnerability Exploit

Q: What was the security flaw identified in the AWS configuration?

The threat actor noted that a single ECS task role had over-privileged read access to every secret in the account, including production Redshift master credentials.

published: March 4, 2026

Learn More

LexisNexis Legal & Professional reports a data breach after the threat actor FulcrumSec leaked stolen files on underground forums.

The incident involved unauthorized access to the company's Amazon Web Services (AWS) infrastructure. The company describes the accessed data as legacy information from before 2020, the hacker actor claims to have stolen a significant volume of current records.

The attackers gained entry on February 24 by exploiting a vulnerability known as "React2Shell" within an unpatched React frontend application. This flaw allowed the threat actor to compromise a React container and pivot into the broader AWS environment.

FulcrumSec criticized the company's security architecture, noting that a single Elastic Container Service (ECS) task role possessed over-privileged read access to every secret in the account. This configuration allowed the attackers to view production Redshift master credentials and other sensitive keys in plaintext.

The compromised data allegedly includes:

3.9 million database records
400,000 cloud user profiles including names, emails, and phone numbers
21,042 customer accounts
5,582 attorney survey responses
45 employee password hashes
53 AWS Secrets Manager secrets in plaintext
VPC infrastructure mapping and 536 Redshift tables

The threat actor specifically highlighted the exposure of 118 ".gov" accounts belonging to U.S. Department of Justice attorneys, SEC staff, and federal judges. The number of affected individuals is approximately 400,000 based on hacker claims, bit the company has not confirmed a final count.

LexisNexis claims that it has contained the attack and found no evidence of impact on its active products or services. The company notified law enforcement and engaged an external cybersecurity firm to assist with the forensic investigation and containment measures. Affected customers and former clients are being notified of the incident.

This breach follows a previous incident in 2024 where a compromised corporate account exposed data for 364,000 customers.

LexisNexis Confirms AWS Cloud Breach Caused by React Vulnerability Exploit

Read More
Intoxalock Cyberattack Strands Thousands of Drivers Across 46 …
Tyler Technologies hosting reports data breach impacting US …
Tietoevry data centre impacted by ransomware, multiple customers …
School communication platform Finalsite suspends services after security …
Vercel Discloses Internal System Breach Following Third-Party OAuth …