Legal data giant LexisNexis confirmed a breach after hackers posted a manifesto Tuesday linking to more than 3.9 million internal records allegedly exfiltrated from the company’s AWS infrastructure – including plaintext login credentials and profile data tied to roughly 400,000 users.
-
A hacker manifesto claims 3.9 million records were exfiltrated from LexisNexis systems, including profile data tied to roughly 400K users.
-
The dataset allegedly includes .gov email accounts linked to courts, federal agencies, and other public-sector institutions.
-
Cloud credentials, enterprise customer records, and internal databases from LexisNexis AWS infrastructure are also said to be part of the leak.
The massive dataset, posted online by the relatively unknown threat actor FulcrumSec, is said to contain “2.04GB of structured data” and more than “3.9 million database records” extracted from LexisNexis cloud environments, including Amazon Web Services (AWS), Oracle, and Salesforce.
Ironically, the breach exposes internal data linked to courts, law firms, regulators, and federal agencies – the very institutions that rely on LexisNexis for legal intelligence.
The dataset also appears to expose how LexisNexis manages customer agreements, internal systems, and cloud credentials.
Massive dataset exposes legal industry customer records
The cache purportedly includes over 21,000 enterprise customer accounts, including law firms, government agencies, universities, and corporate clients.
What’s more, dozens of unencrypted system credentials also appear to have been exposed, along with more than 300,000 agreement records mapping customers to the products they subscribe to, including contract dates, renewal status, and pricing tiers.
"The breach itself came down to an unpatched React app and a single ECS task role with read access to every secret in the account," points out Ross Filipek, CISO at Corsica Technologies.
“Once attackers were in, they had a straight path to production database credentials, 53 secrets in plaintext, and a complete map of the VPC infrastructure,” Filipek explains.
The hackers further boast of compromising 118 accounts associated with US government email domains (.gov), including three US federal judges, four Department of Justice (DoJ) attorneys, 15 probation officers, 19 federal court law clerks, and an unknown number of US Securities and Exchange Commission (SEC) staff.
The group also published a small sample of fully doxxed federal officials tied to courts and regulatory agencies across the US, including individuals based in California, Texas, Illinois, and New York City.
“The kind of individuals whose digital footprints carry national security implications,” FulcrumSec wrote in its nearly 4,000-word manifesto posted both on BreachForums and its own leak site.
“LexisNexis works with 91 percent of Fortune 100 companies and 85 percent of Fortune 500 companies, which means its footprint spans some of the most influential organizations in the world,” said Steve Cobb, Chief Information Security Officer at SecurityScorecard.
Cobb says the breach only “reinforces that data brokers and analytics providers are not peripheral players,” noting that companies like LexisNexis “are deeply embedded in today’s risk landscape.”
LexisNexis disputes scope of breach
Founded in 1970 and based in Atlanta, LexisNexis has extensive global reach, with 40 offices across multiple industry sectors, 11,000 employees, and customers in more than 180 countries and territories.
Furthermore, the data giant also provides “information-based analytics and decision tools” to more than 7,500 US federal, state, and local government agencies, nine out of ten banks, and major insurers and airline groups worldwide, the LexisNexis website states.
LexisNexis confirmed to Cybernews on Tuesday that “an unauthorized party accessed a limited number of servers,” but said its investigation found “no evidence of compromise or impact to our products and services.”
The company also said it believes “the incident is contained” and that the affected servers contained “mostly legacy, deprecated data from before 2020,” including customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets.
Still, Pete Luban, Field CISO at AttackIQ, notes that even if the stolen information is largely “legacy data, even ‘non-critical’ customer and business metadata can fuel targeted phishing, account discovery, and follow-on intrusions when it is paired with exposed infrastructure details.”
LexisNexis did stress that the data does not include Social Security numbers, driver’s license numbers, credit card numbers, bank account or other financial account information, active passwords, or customer search queries.
"Customer client or matter information, or customer contracts," were also said to have been untouched, although this is contrary to the hacker's claim.
Luban also noted the December 2024 LexisNexis breach of its third-party development platform, tied to a compromised corporate account, exposing the private information of 364,000 individuals.
“It’s important to point out that repeated breaches erode trust and invite scrutiny, and each additional vendor connection expands the attack surface in ways defenders don't always see until it is too late,” he said.
Check if your data has been leaked
Credentials and secrets allegedly exposed
The attackers claim they gained access to LexisNexis cloud infrastructure through a vulnerable application running in its AWS environment – an unpatched React application vulnerable to “React2Shell.”
“They sell cybersecurity assessments and risk intelligence. And yet … they could not secure their own AWS account.”
- FulcrumSec slams LexisNexis security posture
The group says it extracted data from a production Redshift "Enterprise data warehouse," as well as multiple databases connected through virtual private cloud environments.
According to the attackers, the compromised environment contained 536 Redshift tables and more than 430 database tables, along with access to the LexisNexis AWS Secrets Manager system, allowing them to extract 53 secrets, including dozens of credentials tied to databases, development systems, and enterprise integrations.
"All 53 secrets were extracted with their plaintext values. Every one,” the hackers wrote, while also exposing LexisNexis’ AWS cloud account number in full.
Hackers claim password reuse across internal systems
FulcrumSec also highlighted what it described as password reuse across multiple internal systems.
“The password 'Lexis1234' appears across at least five different secret entries,” the threat actor wrote, adding: “Five separate systems, one password.”
FulcrumSec additionally claimed to have recovered credentials for services including Salesforce ETL systems, Oracle databases, and analytics platforms, as well as a slew of API tokens and development access keys.
Mocking the alleged password structure, the attackers noted that one password followed a pattern of “sfdc + P@55w0rd + 01,” adding sarcastically: “Security through spelling.”
“This is the kind of intelligence that doesn't lose value after containment; it gets weaponized in phishing and social engineering campaigns down the line,” Filipek tells Cybernews.
Furthermore, with this being LexisNexis's second confirmed breach in two years, Filipek says “the question shifts from 'how did this happen' to 'why hasn't more changed.'”
The attackers further said they obtained support case records, internal incident tickets, and insider survey responses from 13,000 attorneys at major law firms, including names, email addresses, IP addresses, and geolocation coordinates.
Not done yet, the cybercriminals also mentioned access to 82,000 support tickets – many containing plaintext user passwords – along with 45 employee password hashes tied to internal platforms.
Who is FulcrumSec?
FulcrumSec – apparently short for Fulcrum Security – posted the LexisNexis claims on BreachForums (BF) just weeks after joining the notorious cybercrime marketplace.
It’s unclear if the attackers are a new group or a previously known operator using a fresh alias.
Some threat-intel trackers list FulcrumSec as a “data broker” style actor, meaning they primarily leak or sell stolen datasets rather than deploy ransomware to encrypt victims.
FulcrumSec’s BF post links to both clearnet and darknet leak sites, which, as of Tuesday, only show a handful of previous victims posted on its “Index of Shame,” although it also refers to the victim listings as “our recent concept campaign.”
There are also some mentions of the self-proclaimed “threatspians” successfully breaching Blavity, a Los Angeles-based media company serving black millennials, back in October, compromising the records of 1.2 million users; however, those claims are not widely verified.
What is clear is that FulcrumSec likes to mock its victims.
In the alleged Blavity hack, they asked for a $120,000 payout, describing it as “a mere 10 cents per user whose data they mishandled.”
FulcrumSec also did not hold back in their missive to LexisNexis, who, according to the hackers, was contacted but “decided not to work with us on this.”
The hackers even took the time to lay out a cost analysis of the LexisNexis breach for anyone curious.
Anticipating LexisNexis would “characterise this as a ‘limited incident’ involving ‘no customer data,’" the attackers called out company CEO Mike Walsh to “explain which definition of ‘customer data’ excludes 400,000 named individuals with email addresses and phone numbers."
“The company that indexes the world’s legal information could not index its own IAM policies. Sad,” the group ended its post.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked