LexisNexis Probes Cloud Breach After Hackers Claim Theft of Millions of Legal and Government Records

LexisNexis is investigating a breach of its cloud systems after a hacking group claimed it stole millions of records tied to law firms, corporations and government agencies, including accounts using federal judges’ and U.S. regulators’ email addresses.

Breach traced to exploited web app flaw

The incident, confirmed publicly by the company in early March, began when attackers exploited a known software flaw in a web application hosted on Amazon Web Services in late February. The group, which calls itself FulcrumSec, has published about 2 gigabytes of data it says came from LexisNexis’ infrastructure and has described how it allegedly moved from a single vulnerable app to broader access inside the company’s cloud environment.

LexisNexis, a unit of London-based information and analytics company RELX, said the compromised systems contained “mostly legacy, deprecated data from prior to 2020” and insisted that no highly sensitive personal or financial information was exposed. Security researchers and the attackers themselves, however, say the leaked material includes business contact data and cloud configuration details that could be valuable for targeting lawyers, judges and government officials.

What LexisNexis says was exposed

In a written statement, LexisNexis said an “unauthorized party” accessed “a limited number of servers” used by its Legal & Professional division.

“These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets,” the company said.

It added that the data did not include Social Security numbers, driver’s license numbers, financial account information, active passwords, customer search queries, customer client/matter data or customer contracts.

The company said it contained the threat, secured the affected environment, notified law enforcement and engaged external cybersecurity experts. It said it is notifying customers “where required” under data protection and breach notification laws.

Hackers’ claims: “React2Shell,” secrets access, and Redshift tables

FulcrumSec, which began posting about the incident around March 3 on underground forums, claims it gained initial access on or about Feb. 24 by exploiting a critical vulnerability known as React2Shell in an unpatched React-based frontend application exposed to the internet. The flaw, tracked as CVE-2025-55182, allows remote code execution on certain React Server Components and related frameworks if they are not updated.

The vulnerability was publicly disclosed in December and drew warnings from security firms and the U.S. Cybersecurity and Infrastructure Security Agency, which added it to its catalog of known exploited flaws and urged rapid patching by federal agencies and contractors.

In technical notes shared alongside the leaked data, FulcrumSec said that after using React2Shell to run code inside a container in LexisNexis’ AWS environment, it was able to assume an overprivileged role assigned to that container. That role allegedly allowed it to read entries from AWS Secrets Manager, which stores database passwords and other configuration data.

The group said it then obtained plaintext secrets, including credentials for multiple databases, and used those to connect to Amazon Redshift and other databases inside LexisNexis’ virtual private cloud. The attackers also claimed some passwords were weak or hardcoded, citing one example they said was “Lexis1234.”

Scale of the alleged data haul

FulcrumSec says it ultimately exfiltrated roughly 2.04 gigabytes of structured data. In its posts, the group describes accessing about 3.9 million records from more than 500 Redshift tables, along with 21,000 customer account entries, around 400,000 individual user profiles and some 5,500 responses to attorney surveys.

The user profiles, according to the group’s description and samples reviewed by security analysts, include names, work email addresses, phone numbers, job titles and organization names tied to LexisNexis cloud services. The attackers say more than 100 of the accounts use .gov email addresses and belong to U.S. federal judges and law clerks, Justice Department attorneys, Securities and Exchange Commission staff and other government employees.

Security researchers who examined the leaked files said they did not appear to include Social Security numbers or payment card data, but did contain detailed business contact information, product-usage metadata, and apparent information about internal cloud architecture, including network layouts and system names.

Extortion-style tactics alleged

FulcrumSec has portrayed the operation as an effort to expose what it called “pitiful security” at a powerful data broker. In one manifesto-style post, the group said it contacted LexisNexis seeking “cooperation” and decided to leak the data publicly after the company “chose not to work with us.” The description matches common extortion tactics in which hackers threaten to release stolen data if a victim does not pay.

The group also claimed its intent was not to harm U.S. government employees but to pressure the company to improve its security; that assertion could not be independently verified.

LexisNexis has not responded publicly to FulcrumSec’s specific technical claims or to questions about how long the affected application remained unpatched after React2Shell was disclosed. The company also has not provided a detailed breakdown of how many individuals or organizations are represented in the legacy data, or how many are based in the United States, Europe or other jurisdictions.

Prior incidents and broader implications

RELX, listed on the London and New York stock exchanges, has not filed a separate market disclosure quantifying the financial impact of the incident. In its most recent annual report, filed in February, the company warned generally that a significant IT failure or security breach could have a material adverse effect, without referencing this incident.

The episode follows prior security issues linked to LexisNexis and related units. In 2005, a LexisNexis subsidiary reported unauthorized access to personal data on nearly 100,000 people. In 2025, LexisNexis Risk Solutions disclosed a separate breach involving a development platform, prompting class-action investigations.

Even if exposed records are several years old, experts say contact details and role information for judges, prosecutors and regulators can be used to craft convincing phishing emails, impersonation attempts and other targeted attacks.

“Legacy contact data can still be highly actionable for an adversary,” said one cybersecurity analyst who reviewed samples of the leaked material. “If you know which chambers use which products and who the power users are, you can build very credible lures to try to harvest current credentials.”

The breach also highlights the legal system’s and government agencies’ reliance on third-party platforms outside their direct control. While law firms, courts and regulators may invest heavily in securing their own networks, they often depend on vendors like LexisNexis for core functions such as legal research and identity verification.

Under U.S. state breach-notification laws, companies typically must notify individuals when certain combinations of personal information are exposed, such as names alongside Social Security numbers or financial account details. Because LexisNexis says the compromised data does not include that type of information, the incident may fall into a gray area in some jurisdictions, even though many affected users hold sensitive public roles.

In Europe and the United Kingdom, regulators can require notification when personal data is exposed and there is a risk to individuals’ rights and freedoms, potentially including risks tied to targeted harassment or fraud. LexisNexis has not disclosed which regulators it has notified.

For now, law firms, courts and agencies that rely on LexisNexis are reassessing defenses in light of the leak. Security advisers say institutions should treat the incident as a prompt to tighten controls around vendor access, strengthen phishing defenses and review how much identifying information is shared with external platforms.

As investigators and regulators probe what happened inside LexisNexis’ cloud environment, the case is likely to shape how courts and agencies think about the security of the tools that underpin their daily work.