LexisNexis Data Breach: Threat Actor Claims Theft of 2.04 GB of Data

A threat actor named FulcrumSec has claimed responsibility for breaching LexisNexis Legal & Professional, part of RELX Group.

On March 3, 2026, FulcrumSec posted details alleging the theft of 2.04 GB of structured data from the company’s Amazon Web Services (AWS) cloud infrastructure.

The actor accessed sensitive production systems, exposing flaws in access controls, credential management, and patching.

The breach underscores risks in cloud environments where over-privileged roles and weak passwords enable lateral movement.

LexisNexis, a key provider of legal data, has not publicly confirmed the incident. This follows a separate December 2024 GitHub breach affecting 364,000 users’ personal data.

Initial Access via React2Shell Vulnerability

FulcrumSec gained initial access on February 24, 2026, by exploiting an unpatched React2Shell vulnerability in a React frontend application.

Cybersecuritynews reports the flaw lingered for months despite known exploits.

From there, the actor compromised an AWS Elastic Container Service (ECS) task container, “LawfirmsStoreECSTaskRole.”

This role held broad read permissions across the AWS account. Attackers then reached the production Redshift data warehouse, 17 Virtual Private Cloud (VPC) databases, AWS Secrets Manager, and Qualtrics survey platform.

FulcrumSec mocked LexisNexis’ security, noting the Relational Database Service (RDS) master password was a weak “Lexis1234.”

A single task role also granted read access to all AWS Secrets Manager entries, including production database credentials.

CVE ID	CVSS Score	Description	CWE ID	Affected Component	Source
CVE-2024-4358	9.8 (Critical)	React2Shell RCE in unpatched React apps allows remote code execution via malicious payloads	CWE-78	React frontend app	Cybersecuritynews

FulcrumSec claims to have stolen vast sensitive data, including 3.9 million database records from 536 Redshift tables and 430+ VPC database tables.

Other assets include ~400,000 cloud user profiles (names, emails, phones, job roles), 21,042 enterprise customer accounts, 53 plaintext AWS Secrets Manager secrets, 45 employee password hashes, and VPC infrastructure maps.

Notably, 118 profiles link to .gov emails from federal judges, U.S. Department of Justice attorneys, court clerks, and SEC staff. This exposes risks to the legal and government sectors reliant on LexisNexis.

Mitigations: Organizations should enforce least-privilege IAM roles, rotate credentials via Secrets Manager rotation policies, apply patches promptly (e.g., React2Shell), and monitor ECS tasks with AWS CloudTrail.

Scan for weak passwords using tools like Pwned Passwords API. LexisNexis users: Review access logs and enable MFA.

The claim raises alarms for cloud supply chain security. No ransom demand yet; samples may surface on BreachForums.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post LexisNexis Data Breach: Threat Actor Claims Theft of 2.04 GB of Data appeared first on Cyber Security News.