Hackers broke into LexisNexis through an unpatched vulnerability and walked away with 3.9 million records — including data tied to federal judges, DOJ attorneys, and SEC staff. Here’s what actually happened.
A company that sells legal intelligence and risk management just got hacked through a vulnerability they forgot to patch. That’s the short version.
The longer version is worse.
What Actually Happened
On February 24, 2026, a hacker group called FulcrumSec gained access to LexisNexis’s AWS cloud infrastructure by exploiting the React2Shell vulnerability — a known flaw in an unpatched React frontend application that had reportedly been left exposed for months. CNN
Once inside, they didn’t just grab a few files and leave. The attackers accessed 536 Redshift tables, over 430 VPC database tables, 53 plaintext AWS Secrets Manager secrets, 3.9 million database records, and around 400,000 cloud user profiles containing real names, emails, phone numbers, and job functions. CNN
And then they posted everything publicly on underground forums.
The Part That Should Make You Uncomfortable
Among the exposed accounts, 118 users had .gov email addresses — including federal judges, US Department of Justice attorneys, SEC staff, and federal court law clerks. Tom’s Guide
That’s not random customer data. That’s the legal infrastructure of the United States government sitting in a leaked database on a cybercrime forum.
What LexisNexis Said
The company confirmed the breach but immediately played it down. A spokesperson said the stolen data was “mostly legacy, deprecated data from prior to 2020” and that it didn’t include Social Security numbers, financial data, active passwords, or customer search queries. KQ2
They also said the matter is now contained. They brought in a third-party forensics firm. They notified law enforcement.
FulcrumSec said it had tried reaching out to LexisNexis before going public — most likely to demand a ransom — and that the company “decided not to work with us.” KQ2 So the hackers dumped everything.
Here’s the Honest Read
LexisNexis calling this “legacy data” is technically accurate and completely misleading at the same time. Old data with real names, emails, government credentials, and law firm contact details is still dangerous. Phishing campaigns don’t care if an email address is from 2019.
The React2Shell flaw had been known for months before this attack. FulcrumSec reportedly exploited it in an unpatched application — a flaw the company had reportedly left unaddressed despite available fixes. Tom’s Guide A company whose entire business model is built on managing legal and risk intelligence failed to manage its own risk.
This also isn’t their first breach. LexisNexis confirmed a separate 2024 intrusion that resulted in the personal information of over 360,000 people being stolen. GSMArena This is now the second confirmed breach in under two years.
If you’ve ever appeared in a LexisNexis legal database, background check, or survey — your contact information may be out there. Watch for phishing emails that already know your name, your job title, and your employer. That’s the real risk here. Not the breach itself. What comes after it.
SOURCE: BleepingComputer | SecurityWeek | TechRadar
You can know about us : About Us