FBI Seizes LeakBase After LexisNexis Breach Exposes 400,000 Users — Including Federal Judges and DoJ Attorneys

LexisNexis, the legal research and analytics giant, confirmed this week that hackers breached its systems and stole data on 400,000 people — including more than 100 individuals with .gov email addresses, among them federal judges, Department of Justice attorneys, and SEC staff. The company insists the damage is minimal, calling the stolen files "legacy, deprecated data from prior to 2020." The hackers tell a very different story.

A threat actor calling itself FulcrumSec announced the intrusion on a cybercrime forum Tuesday, claiming it exploited the React2Shell vulnerability and improperly secured AWS instances to exfiltrate over 2GB of data, according to SecurityWeek. The group says it accessed hundreds of Redshift tables, VPC database tables, dozens of AWS Secrets Manager secrets in plaintext, employee password hashes, and millions of database records. BleepingComputer reported that the attackers claim they broke into a React container with access to thousands of customer accounts and sensitive corporate infrastructure.

LexisNexis Legal Professional acknowledged the breach but downplayed its severity. "These servers contained mostly legacy, deprecated data from prior to 2020, including information such as customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets," a company spokesperson told TechRadar. The firm emphasized that the compromised data did not include Social Security numbers, driver's license numbers, credit card information, bank accounts, active passwords, or customer search queries.

That framing feels inadequate when you consider what the hackers say they actually obtained. The stolen personal information includes names, phone numbers, email addresses, and job roles for roughly 400,000 cloud user profiles — a treasure trove for social engineering attacks or targeted phishing campaigns. And the presence of government officials in that dataset is particularly troubling. Federal judges and DoJ attorneys handle some of the most sensitive legal matters in the country. Even "business contact details" can be weaponized in the wrong hands.

FulcrumSec claims it attempted to extort LexisNexis before the breach went public, but "the company decided not to work with us," the group said. That refusal to negotiate — assuming the claim is accurate — may have been the right call from a policy standpoint, but it also meant the data ended up on underground forums anyway. LexisNexis now says it believes the attack is "contained," though it's unclear what that means when the files are already circulating.

This isn't LexisNexis's first rodeo. SecurityWeek noted that LexisNexis Risk Solutions confirmed a 2024 breach at a third-party vendor that exposed information on more than 360,000 people. The pattern is familiar: a major data broker gets breached, minimizes the damage in public statements, and leaves users to wonder what "legacy" really means when your email and job title are now in a hacker's database.

The timing of this breach is notable for another reason. On March 3 and 4, the FBI led a coordinated international operation to dismantle LeakBase, one of the most active cybercrime forums where stolen data and hacking tools are bought and sold. According to BleepingComputer, the FBI seized LeakBase's domains, posted seizure banners, and collected evidence including IP logs and private messages from the forum's 142,000 members. The operation, dubbed "Operation Leak," involved law enforcement agencies across 14 countries and resulted in around 100 enforcement actions worldwide, including arrests and search warrants in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain, and the United Kingdom.

LeakBase had been active since 2021, launched as a project supported by the ARES threat group, and grew rapidly after the closure of the Breached hacker forum. It offered free access to databases, a marketplace for selling leaks and exploits, and even an escrow payment system. Europol noted that authorities targeted 37 of the forum's most active users during the takedown. The domain now displays an FBI seizure notice warning that "all forum content including users' accounts, posts, credit details, private messages and IP logs have been secured and preserved for evidentiary purposes."

The LeakBase seizure follows a pattern of high-profile forum takedowns — RaidForums in 2022, BreachForums in 2023, and the conviction of the BreachForums founder in 2025. But these forums are hydra-headed. When one gets shut down, another emerges. LeakBase itself rose from the ashes of Breached. The question is whether law enforcement can disrupt the underlying economy faster than new marketplaces can spin up.

What's striking about the LexisNexis breach is how it illustrates the disconnect between corporate messaging and hacker reality. LexisNexis wants us to believe this was a minor incident involving outdated files. FulcrumSec says it accessed live AWS secrets, employee credentials, and government user data. Both can't be entirely right. Either the hackers are exaggerating their access to inflate their reputation, or LexisNexis is minimizing the breach to avoid regulatory scrutiny and customer panic.

Given that the hackers leaked 2GB of files as proof, and given LexisNexis's admission that customer names, user IDs, and business contact information were compromised, the truth likely sits somewhere uncomfortable. Even "legacy" data has value. Email addresses don't expire. Job titles change, but knowing someone worked at the SEC in 2019 is still useful intelligence for a sophisticated attacker.

The broader issue is that companies like LexisNexis are critical infrastructure for the legal system and corporate world, yet they're being breached with alarming regularity. The fact that hackers allegedly exploited an unpatched React frontend app and misconfigured AWS instances — both preventable vulnerabilities — suggests this wasn't a nation-state zero-day. It was basic security hygiene failures at a company that bills itself as a leader in risk solutions.

Meanwhile, the FBI's LeakBase takedown is a reminder that the marketplace for stolen data is thriving. With 142,000 members and a steady stream of fresh leaks, LeakBase was a bustling bazaar for cybercriminals. The seizure will disrupt operations temporarily, but the demand for stolen credentials and corporate secrets isn't going anywhere. The next forum is probably already being coded.

For LexisNexis users — especially those with .gov addresses — the calculus is simple: assume your information is compromised and act accordingly. Enable multi-factor authentication everywhere. Watch for phishing attempts that reference your job or employer. And maybe ask why a company that sells risk management tools to Fortune 500 clients couldn't manage its own AWS security.

The LexisNexis breach and the LeakBase seizure are two sides of the same coin. One shows how easily attackers can penetrate even well-resourced companies. The other shows how law enforcement is scrambling to shut down the infrastructure where that stolen data gets monetized. But until the underlying incentives change — until breaches carry real consequences for negligent companies, and until the economics of cybercrime become less attractive — we're just playing whack-a-mole with forums and hoping the next breach isn't worse than the last.