- Key insight: Threat group FulcrumSec claims to have exfiltrated 2.04 gigabytes of data from LexisNexis Legal & Professional in late February.
- What’s at stake: The compromised data supposedly includes sensitive profiles for federal judges, 118 users at the SEC and Department of Justice personnel.
- Supporting data: The attackers claimed to have extracted 45 employee password hashes, 82,683 customer support tickets and 53 cloud secrets in plain text.
Overview bullets generated by AI with editorial review
Processing Content
Cybercriminals breached data giant LexisNexis and stole sensitive records belonging to law firms, federal regulators and corporate clients, according to claims from a threat group.
The threat actor, known as FulcrumSec, claims to have exfiltrated 2.04 gigabytes of data from the company’s cloud infrastructure in late February. For its part, a LexisNexis spokesperson said the matter was “contained.”
The attackers said they exploited an unpatched software vulnerability to access the data, which supposedly includes information on 118 users at the Securities and Exchange Commission, the Department of Justice and federal courts, as well as customer passwords and customer support tickets.
Bleeping Computer first reported the breach.
The LexisNexis brand is common in the financial sector, but the recent breach specifically targeted LexisNexis Legal & Professional, a distinct entity from the one familiar to banks. The two share a parent corporation: RELX.
The breached division provides legal, regulatory and business research tools to law firms, courts and government agencies, which is why the exposed data, according to the attackers, includes user profiles for federal judges and Department of Justice personnel.
Financial institutions would be more familiar with sister company LexisNexis Risk Solutions, which provides services for identity verification, fraud prevention and anti-money-laundering compliance.
Because LexisNexis Risk Solutions operates independently from the Legal & Professional division, the FulcrumSec breach does not appear to impact the databases that bankers use. However,
Unpatched vulnerabilities and weak passwords
FulcrumSec said it breached the LexisNexis system using a critical, unpatched software flaw known as React2Shell, or CVE-2025-55182.
This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code on a server. It carries a maximum severity score of 10.0.
Despite the vulnerability becoming public in early December 2025, LexisNexis apparently failed to patch its systems for months.
The Cybersecurity and Infrastructure Security Agency added React2Shell to its catalog of actively exploited vulnerabilities on Dec. 5. The agency strongly urged organizations to prioritize patching the flaw within a week.
“They could not patch their own React app months after React2Shell broke,” the threat actors wrote in a Tuesday forum post.
Once inside the network, FulcrumSec said they discovered poor password hygiene that allowed them to extract 53 cloud secrets in plaintext, according to claims from the threat group.
A cloud secret is a piece of sensitive digital information — such as API keys, database credentials, passwords or encryption keys — used to authenticate and authorize services in cloud computing environments.
The attackers claimed the vendor reused the password “Lexis1234” across at least five internal systems and databases.
Conflicting reports on the breach’s scope
The vendor and the threat group offered sharply different accounts of the incident’s severity and the sensitivity of the compromised data.
The company downplayed the scope of the incident.
“LexisNexis Legal & Professional has investigated a security matter and based on the investigation and testing we have done to date, we believe the matter is contained,” said a spokesperson for LexisNexis Legal & Professional.
The threat actor accessed a limited number of servers containing mostly outdated data from before 2020, and the compromised information did not include active passwords, financial information or sensitive personal identifiers, according to the spokesperson.
For its part, the threat group claims the stolen data is both current and sensitive.
The attackers claimed to have extracted 45 employee password hashes and 82,683 customer support tickets, some of which contained customer passwords in plain text, according to a Tuesday post on data breach site BreachForums. They also claim to have stolen those 53 cloud secrets in plain text.
A pattern of security incidents
This is not the first time the LexisNexis brand has been tarnished by a significant security failure. The threat group explicitly framed this new attack as separate from a previous breach.
“To be clear, this is from a breach we conducted just last week, not the 2024 breach that resulted in a massive class action,” FulcrumSec wrote in a Tuesday forum post.
In that previous incident, attackers breached a third-party software development platform used by LexisNexis Risk Solutions on Dec. 25, 2024. The company discovered the breach months later on April 1, 2025.
That earlier breach compromised the personal information of 364,333 people. The stolen data included names, dates of birth, Social Security numbers, and driver’s license numbers, according to a May 2025 data breach notification the company filed with the Maine attorney general.