FulcrumSec Claims Breach of LexisNexis, Exposing 2GB of Sensitive Legal Data
On March 3, 2026, the threat actor FulcrumSec publicly took responsibility for a breach of LexisNexis Legal & Professional, a division of RELX Group, alleging the theft of 2.04 GB of structured data from the company’s AWS cloud infrastructure. The attack, which began on February 24, exploited the React2Shell vulnerability in an unpatched React frontend application a flaw reportedly left unaddressed for months.
FulcrumSec gained access via the compromised LawfirmsStoreECSTaskRole ECS task container, which had broad permissions, including read access to:
- Production Redshift data warehouse
- 17 VPC databases
- AWS Secrets Manager
- Qualtrics survey platform
The actor criticized LexisNexis’s security practices, highlighting that the RDS master password was set to "Lexis1234" and that a single task role had access to all AWS Secrets Manager entries, including production database credentials.
Exposed Data Includes:
- 3.9 million database records
- 400,000 cloud user profiles (names, emails, phone numbers, job functions)
- 21,042 enterprise customer accounts
- 45 employee password hashes
- 118 .gov email accounts (federal judges, DOJ attorneys, U.S. SEC staff, and court law clerks)
- 53 plaintext AWS Secrets Manager secrets
- Complete VPC infrastructure map
FulcrumSec clarified that this breach is unrelated to the December 2024 GitHub incident, where attackers stole Social Security numbers of 364,000 individuals via a third-party development platform. The repeated compromises raise concerns about systemic security gaps in one of the world’s largest legal data repositories.
Source: https://cybersecuritynews.com/lexisnexis-data-breach/
RELX cybersecurity rating report: https://www.rankiteo.com/company/relx-group
LexisNexis Legal cybersecurity rating report: https://www.rankiteo.com/company/lexisnexislegal
"id": "RELLEX1772562253",
"linkid": "relx-group, lexisnexislegal",
"type": "Breach",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '21,042 enterprise customer '
'accounts, 118 .gov email '
'accounts (federal judges, DOJ '
'attorneys, U.S. SEC staff, '
'court law clerks)',
'industry': 'Legal Data & Analytics',
'name': 'LexisNexis Legal & Professional (RELX Group)',
'type': 'Corporation'}],
'attack_vector': 'Exploitation of unpatched vulnerability (React2Shell)',
'data_breach': {'data_exfiltration': '2.04 GB of data stolen',
'number_of_records_exposed': '3.9 million database records, '
'400,000 cloud user profiles',
'personally_identifiable_information': 'Names, emails, phone '
'numbers, job '
'functions, .gov email '
'accounts',
'sensitivity_of_data': 'High (PII, .gov accounts, plaintext '
'secrets, password hashes)',
'type_of_data_compromised': ['Database records',
'Cloud user profiles',
'Enterprise customer accounts',
'Employee password hashes',
'Government email accounts',
'AWS Secrets Manager secrets',
'VPC infrastructure map']},
'date_detected': '2026-02-24',
'date_publicly_disclosed': '2026-03-03',
'description': 'On March 3, 2026, the threat actor FulcrumSec publicly took '
'responsibility for a breach of LexisNexis Legal & '
'Professional, a division of RELX Group, alleging the theft of '
'2.04 GB of structured data from the company’s AWS cloud '
'infrastructure. The attack exploited the React2Shell '
'vulnerability in an unpatched React frontend application, '
'gaining access via the compromised LawfirmsStoreECSTaskRole '
'ECS task container with broad permissions. Exposed data '
'includes 3.9 million database records, 400,000 cloud user '
'profiles, 21,042 enterprise customer accounts, 45 employee '
'password hashes, 118 .gov email accounts, and 53 plaintext '
'AWS Secrets Manager secrets.',
'impact': {'brand_reputation_impact': 'Systemic security gaps concerns',
'data_compromised': '2.04 GB of structured data',
'identity_theft_risk': 'High (exposure of PII, .gov email '
'accounts, and password hashes)',
'systems_affected': ['AWS cloud infrastructure',
'Production Redshift data warehouse',
'17 VPC databases',
'AWS Secrets Manager',
'Qualtrics survey platform']},
'initial_access_broker': {'entry_point': 'LawfirmsStoreECSTaskRole ECS task '
'container'},
'post_incident_analysis': {'root_causes': ['Unpatched React2Shell '
'vulnerability',
'Over-permissive ECS task role',
'Weak RDS master password '
'(Lexis1234)',
'Single task role with access to '
'all AWS Secrets Manager entries']},
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'Cyber Incident Description'}],
'threat_actor': 'FulcrumSec',
'title': 'FulcrumSec Claims Breach of LexisNexis, Exposing 2GB of Sensitive '
'Legal Data',
'type': 'Data Breach',
'vulnerability_exploited': 'React2Shell vulnerability in React frontend '
'application'}