TL;DR: A threat actor called FULCRUMSEC breached LexisNexis Legal & Professional (the legal research arm of $80 billion RELX Group) and stole 2.04 GB of structured data from their AWS infrastructure. The haul includes contact information for 118 federal judges, DOJ attorneys, SEC staff, and law clerks. Also exposed: 400,000 user profiles, 21,000 enterprise customer accounts, and 53 AWS secrets in plaintext. The attackers got in through an unpatched React vulnerability on February 24. LexisNexis confirmed the breach on March 4 but claims most data is "legacy information from before 2020."

What Got Stolen

FULCRUMSEC didn't just grab some files and run. They mapped the entire infrastructure [1].

The damage:

  • 118 government accounts. Federal judges, DOJ attorneys, SEC staff, and federal court law clerks. Names, emails, phone numbers, job functions, access credentials.
  • ~400,000 user profiles. Real names, emails, phone numbers, and job titles for LexisNexis cloud users
  • 21,042 enterprise customer accounts. Subscription details and pricing information for law firms and corporations
  • 3.9 million Enterprise Data Warehouse records
  • 53 AWS Secrets Manager secrets. In plaintext. Production passwords. API keys. Everything.
  • 45 employee password hashes. Plus cleartext customer passwords found in support tickets
  • Complete VPC infrastructure mapping. The blueprint to their entire cloud setup
  • 10,000 IT incident tickets. Engineering defect records included
  • 5,582 attorney survey responses. With IP addresses attached

That's 536 Redshift tables and 430+ VPC databases worth of data. Structured. Organized. Ready for exploitation [2].

Why the Federal Judge Data Matters

Out of 400,000 user profiles, 118 held .gov email addresses. These aren't random government employees. They're the people who rule on federal cases [3].

The exposed officials include:

  • Federal judges
  • Federal court law clerks
  • U.S. Department of Justice attorneys
  • U.S. Securities and Exchange Commission staff

LexisNexis says this data didn't include Social Security numbers. But names, emails, phone numbers, and job roles? That's everything you need for targeted phishing, social engineering, or worse.

Foreign intelligence services would pay handsomely for a verified contact list of federal judges. Now it's floating around hacker forums.

How FULCRUMSEC Got In

The attackers exploited a vulnerability called React2Shell in an unpatched React frontend application [4]. LexisNexis had reportedly left this flaw unaddressed for months.

Initial access came on February 24, 2026. From there, they exploited a vulnerable container role to bypass access controls and spread across the AWS infrastructure.

The security failures weren't subtle:

  • Unpatched frontend application. Known vulnerability, months old
  • Overly permissive IAM role configurations. Once inside, they could go anywhere
  • Hardcoded database password. "Lexis1234" [4]

"Lexis1234." That was the password protecting data on federal judges.

For a company that sells legal research tools to the most security-conscious organizations in the world, this is embarrassing.

LexisNexis Response

The company confirmed the breach on March 4, 2026, over a week after the initial intrusion [5].

Their statement:

  • The data was "mostly legacy information from before 2020"
  • No Social Security numbers were included
  • The intrusion has been contained
  • Law enforcement has been notified
  • An external forensics firm is investigating

"Legacy information" is doing a lot of heavy lifting here. Those 118 federal officials probably still work in government. Their contact details from 2019 are still useful.

Who Is FULCRUMSEC?

FULCRUMSEC is an extortion group that appeared on breach forums claiming responsibility for the attack [1]. They've positioned themselves as exposing corporate security failures.

The group released samples of the data to prove they had the goods. The samples included structured database exports: not raw files, but organized data ready for sale or exploitation.

Whether they're after ransom money or just notoriety, the damage is done. The data is out.

The Supply Chain Problem

LexisNexis isn't just any company. They're embedded in the legal industry's infrastructure. Law firms, courts, and government agencies depend on them for research, due diligence, and case management.

When a company like this gets breached, every customer has to ask: what did the attackers see about us?

The exposed data includes:

  • Which law firms use LexisNexis (and what they pay for it)
  • What products government agencies subscribe to
  • IT infrastructure details that could enable further attacks
  • Engineering defect records showing potential vulnerabilities

This is supply chain risk materialized. A single vendor weakness exposed data across thousands of organizations.

What Should Affected Organizations Do

Rotate Credentials Immediately

If your organization uses LexisNexis, assume your account details were exposed. Change passwords and revoke any API keys connected to their services.

Watch for Targeted Phishing

Attackers know which organizations use LexisNexis and who their contacts are. Expect highly targeted phishing attempts that reference real subscription details.

Federal Employees: Extra Caution

If you're a federal judge, DOJ attorney, or SEC staff member, your contact information may be in criminal hands. Be suspicious of unsolicited communications, even ones that seem legitimate.

Review Vendor Security Assurances

LexisNexis is a major legal industry vendor. If they can get popped with a password like "Lexis1234," question every vendor's security claims.

References

  1. Daily Dark Web - LexisNexis Investigates Massive Data Breach by FULCRUMSEC
  2. Cybersecurity News - LexisNexis Data Breach: Threat Actor Claims 2.04 GB Stolen
  3. Cyber News Centre - LexisNexis Confirms Major Cloud Breach, Exposing Legal and Government Client Data
  4. The Record - LexisNexis says hackers accessed legacy data in contained breach
  5. Rankiteo - RELX Group and LexisNexis Legal & Professional Breach