A data breach has hit the American data analytics company LexisNexis Legal & Professional after hackers breached its legacy servers.
LexisNexis provides legal, business, and academic analytics tools to governments and corporations across 150 countries.
The Georgia-based data analytics company learned of the breach after a threat actor using the alias FulcrumSec published 2 gigabytes of the stolen information. Upon learning of the data breach, LexisNexis L&P launched an investigation and notified law enforcement.
LexisNexis L&P confirms data breach
An analysis of the leaked information revealed that the LexisNexis data breach leaked customer names, business contact information, IP addresses, user IDs, product information, customer surveys, support tickets, and other details.
However, the data breach did not leak government-issued IDs, such as Social Security numbers and driver’s license numbers, or financial information such as credit card numbers, bank details, customer queries, or contracts. LexisNexis L&P says the leaked data was not critical and primarily contained legacy and deprecated information dated “prior to 2020.”
Nevertheless, hackers could use the stolen information to create phishing messages to trick victims into disclosing more sensitive information, such as credit card numbers and account passwords.
Subsequently, victims should be on the lookout for targeted phishing by avoiding clicking on suspicious links or downloading suspicious attachments.
Additionally, they should be aware that reputable organizations do not request sensitive information, such as credit card numbers or login credentials, via text, phone, or social media.
Meanwhile, LexisNexis L&P believes the threat was contained successfully, and the data breach did not affect any of its products or services.
“LexisNexis confirming this intrusion right as FulcrumSec starts leaking stolen files is another reminder that high value data platforms draw attackers who move fast and play for leverage,” said Pete Luban, Field CISO at AttackIQ. “While the stolen information largely includes legacy data, even ‘non-critical’ customer and business metadata can fuel targeted phishing, account discovery, and follow-on intrusions when it is paired with exposed infrastructure details.”
LexisNexis L&P hacked via React2Shell vulnerability
The attacker claims to have gained access by breaching the company’s AWS infrastructure after exploiting a React2Shell vulnerability in a React frontend app.
React2Shell (CVE-2025-55182) is a critical security vulnerability with a perfect 10.0 CVSS v3 score. It could allow an unauthenticated attacker to execute remote code, “through a single malicious HTTP request,” according to Microsoft.
It affects React Server Components, Next.js, and related JavaScript components on both Windows and Linux operating systems. Hackers have exploited the security vulnerability in the wild as early as December 5, 2025. Chinese Nexus cyberespionage groups Earth Lamia and Jackpot Panda, as well as financially motivated gangs, have exploited the security vulnerability.
The attacker accused the company of negligence for allegedly failing to patch the React2Shell vulnerability, months after it was discovered. The company also allegedly used a weak RDS master password, Lexis1234, and allowed a single ECS role to access every secret, including the production Redshift master password.
Meanwhile, the attacker claims to have obtained the information of over 400,000 cloud user profiles, over 100 ‘.gov’ email users. They include government employees such as SEC staff, federal judges, and court clerks. Similarly, 21,042 enterprise accounts were compromised. The data breach affected government agencies, law firms, universities, and insurance companies, according to the attacker.
“When a platform trusted by government, legal, and regulatory agencies gets breached, the impact can extend well beyond the organization itself,” said Ross Filipek, CISO at Corsica Technologies. “The stolen data here includes .gov accounts tied to federal judges, DOJ attorneys, and SEC staff, the kind of intelligence that doesn’t lose value after containment; it gets weaponized in phishing and social engineering campaigns down the line.”
In 2024, LexisNexis experienced a data breach that leaked the personal information of over 364,000 people. It leaked the victims’ names, contact information, Social Security Numbers, and driver’s license information.
“LexisNexis works with 91 percent of Fortune 100 companies and 85 percent of Fortune 500 companies, which means its footprint spans some of the most influential organizations in the world,” said Steve Cobb, Chief Information Security Officer at SecurityScorecard. “Incidents like this reinforce that data brokers and analytics providers are not peripheral players. They are deeply embedded in today’s risk landscape.”
