LexisNexis Confirms Data Breach After Hackers Exploit Unpatched React App
LexisNexis Legal & Professional, a global provider of legal, regulatory, and business analytics tools, has confirmed a data breach after hackers exploited an unpatched React frontend application to gain access to its AWS infrastructure. The incident, which occurred on February 24, was disclosed following a 2GB data leak by the threat actor FulcrumSec across underground forums.
The breach stemmed from the React2Shell vulnerability, allowing attackers to infiltrate LexisNexis’ cloud environment. While the company stated that the compromised data was "legacy and deprecated" dating mostly from before 2020 it included customer names, user IDs, business contact details, IP addresses from surveys, and support tickets. LexisNexis emphasized that no sensitive personal or financial data (such as Social Security numbers, credit card details, or active passwords) was exposed.
However, FulcrumSec claimed to have exfiltrated 3.9 million database records, including:
- 21,042 customer accounts
- 5,582 attorney survey responses
- 45 employee password hashes
- 53 AWS Secrets Manager secrets in plaintext
- 400,000 cloud user profiles (with names, emails, and job functions)
- 118 .gov email accounts linked to U.S. government employees, federal judges, DOJ attorneys, and SEC staff
The hackers also accessed 536 Redshift tables and 430+ VPC database tables, along with a complete mapping of LexisNexis’ VPC infrastructure. FulcrumSec criticized the company’s security practices, noting that a single ECS task role had excessive read access, including to the production Redshift master credential.
LexisNexis stated that the intrusion was contained and that no evidence suggested product or service disruption. The company has engaged law enforcement and external cybersecurity experts to investigate and has notified affected customers. This incident follows a 2023 breach where hackers compromised a corporate account, exposing data on 364,000 customers.
LexisNexis cybersecurity rating report: https://www.rankiteo.com/company/lexisnexis
"id": "LEX1772555037",
"linkid": "lexisnexis",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '21,042 customer accounts, 118 '
'.gov email accounts (U.S. '
'government employees, federal '
'judges, DOJ attorneys, SEC '
'staff)',
'industry': 'Legal, Regulatory, and Business Analytics',
'location': 'Global',
'name': 'LexisNexis Legal & Professional',
'type': 'Corporation'}],
'attack_vector': 'Exploitation of unpatched React2Shell vulnerability in '
'frontend application',
'customer_advisories': 'Affected customers notified',
'data_breach': {'data_exfiltration': 'Yes, 2GB of data leaked',
'number_of_records_exposed': '3.9 million database records',
'personally_identifiable_information': 'Names, business '
'contact details, IP '
'addresses, government '
'email accounts',
'sensitivity_of_data': 'Legacy and deprecated data (mostly '
'pre-2020), no sensitive personal or '
'financial data exposed',
'type_of_data_compromised': ['Customer names',
'User IDs',
'Business contact details',
'IP addresses',
'Survey responses',
'Support tickets',
'Employee password hashes',
'AWS Secrets Manager secrets',
'Cloud user profiles',
'Government email accounts']},
'date_detected': '2024-02-24',
'description': 'LexisNexis Legal & Professional confirmed a data breach after '
'hackers exploited an unpatched React frontend application to '
'gain access to its AWS infrastructure. The breach resulted in '
'a 2GB data leak by the threat actor FulcrumSec, including '
'legacy and deprecated customer data.',
'impact': {'data_compromised': '2GB of data leaked, including customer names, '
'user IDs, business contact details, IP '
'addresses, survey responses, support tickets, '
'employee password hashes, AWS Secrets Manager '
'secrets, cloud user profiles, and government '
'email accounts',
'downtime': 'No evidence of product or service disruption',
'identity_theft_risk': 'Potential risk due to exposed personal and '
'business contact details',
'operational_impact': 'Contained intrusion, no service disruption '
'reported',
'payment_information_risk': 'No sensitive financial data exposed',
'systems_affected': 'AWS infrastructure, ECS task roles, Redshift '
'tables, VPC database tables'},
'initial_access_broker': {'entry_point': 'Unpatched React frontend '
'application',
'high_value_targets': 'AWS Secrets Manager secrets, '
'Redshift tables, VPC '
'infrastructure'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Unpatched React2Shell '
'vulnerability, excessive read '
'access in ECS task role'},
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'Cyber Incident Description'}],
'response': {'communication_strategy': 'Notified affected customers',
'containment_measures': 'Intrusion contained',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'External cybersecurity experts '
'engaged'},
'threat_actor': 'FulcrumSec',
'title': 'LexisNexis Data Breach After Hackers Exploit Unpatched React App',
'type': 'Data Breach',
'vulnerability_exploited': 'React2Shell vulnerability'}