LexisNexis Confirms Data Breach After Hackers Exploit Unpatched React App, Leak 2GB of Government Files

LexisNexis Legal Professional has confirmed to BleepingComputer that hackers breached its servers and accessed customer and business information, marking the second security incident for the legal data giant in less than a year. The admission came as a threat actor named FulcrumSec leaked 2GB of files across underground forums, exposing what the company calls "legacy, deprecated data" — a characterization that undersells the sensitivity of what was actually compromised.

According to FulcrumSec, they gained access to LexisNexis's AWS infrastructure on February 24 by exploiting the React2Shell vulnerability in an unpatched React frontend application. Once inside, the hackers claim they exfiltrated 2.04GB of structured data, including 536 Redshift tables, 430+ VPC database tables, 53 AWS Secrets Manager secrets in plaintext, 3.9 million database records, and 21,042 customer accounts. They also obtained 45 employee password hashes and complete VPC infrastructure mapping — a blueprint of the company's cloud architecture that would be gold for any sophisticated attacker planning a return visit.

LexisNexis tried to minimize the damage, telling BleepingComputer that the stolen information was "mostly legacy, deprecated data from prior to 2020" and did not include Social Security numbers, driver's license numbers, credit card information, active passwords, or customer search queries. But that framing ignores the crown jewels of what FulcrumSec actually published: information on more than 100 users with .gov email addresses, including U.S. government employees, federal judges and law clerks, U.S. Department of Justice attorneys, and U.S. SEC staff. The hackers said they had access to around 400,000 cloud user profiles containing real names, emails, phone numbers, and job functions — precisely the kind of intelligence that nation-state actors and sophisticated criminals salivate over.

FulcrumSec didn't just dump the data and disappear. They contacted LexisNexis, but the company "decided not to work with us on this," the hackers said. They also took the unusual step of publicly criticizing LexisNexis's security practices, noting that a single ECS task role had read access to every secret in the account, including the production Redshift master credential. That's a catastrophic configuration error — the equivalent of giving a janitor the master key to every room in a skyscraper because it's convenient. It suggests that LexisNexis, a company whose entire business model depends on safeguarding sensitive legal and regulatory information, was running its cloud infrastructure with security controls that wouldn't pass muster at a mid-sized SaaS startup.

This isn't LexisNexis's first rodeo. Last year, according to BleepingComputer, the company disclosed another breach after hackers compromised a corporate account and accessed sensitive information belonging to 364,000 customers. Two breaches in two years, both involving customer data, should raise serious questions about whether the company's security posture is adequate for the trust it's asking clients to place in it. LexisNexis has notified law enforcement and contracted an external cybersecurity expert to assist with the investigation, but those are reactive measures — the digital equivalent of calling the fire department after your house has burned down.

The LexisNexis breach is part of a broader pattern of enterprise systems falling to increasingly brazen attackers. Madison Square Garden confirmed in recent notifications that it suffered a data breach stemming from the Cl0p ransomware group's campaign targeting customers of Oracle's E-Business Suite, according to SecurityWeek. Hackers exploited zero-day vulnerabilities in Oracle EBS to gain access to data from more than 100 organizations. MSG Entertainment told the Maine Attorney General's Office that personal information, including names and Social Security numbers, was compromised in the August 2025 attack — though it took until February 2026 for the company to start notifying affected individuals. The Oracle EBS campaign hit Korean Air, auto parts giant LKQ, and others, demonstrating that attackers are systematically targeting widely-deployed enterprise software with known vulnerabilities.

Meanwhile, Virginia Tech notified employees enrolled in Anthem health plans that Conduent, Inc., a third-party vendor providing printing and mailing services to Anthem's parent company Elevance Health, suffered a breach traced to compromised VPN credentials. According to the university's notice, an unauthorized third party had access to Conduent's environment from October 21, 2024, through January 13, 2025 — nearly three months of undetected access. The affected files contained employee names, addresses, and Social Security numbers. Conduent discovered the breach on January 13, 2025, but notification letters didn't go out until late December through January 2026, and Virginia Tech's public notice came in late February. That's a timeline that suggests either a painfully slow investigation or a reluctance to disclose until absolutely necessary.

What ties these incidents together is a common thread of preventable failures: unpatched software, misconfigured cloud permissions, compromised VPN credentials, and third-party vendors with inadequate security controls. These aren't zero-day exploits by nation-state actors using quantum computers and AI-powered attack tools. They're basic security hygiene failures — the digital equivalent of leaving your front door unlocked and wondering why someone walked in.

The LexisNexis breach is particularly galling because the company positions itself as a trusted steward of sensitive legal and regulatory information. Lawyers, corporations, governments, and academic institutions in more than 150 countries worldwide rely on LexisNexis for mission-critical research and analytics. If you can't trust your legal research provider to patch a React app or configure AWS permissions correctly, what can you trust them with? FulcrumSec's decision to publicly shame the company's security practices — while ethically dubious given their criminal activity — highlights a uncomfortable truth: sometimes it takes a hacker to expose just how badly companies are failing at the basics.

The broader implication is that enterprise software and third-party vendors have become the soft underbelly of corporate security. Organizations spend millions on perimeter defenses, endpoint protection, and threat intelligence, only to get breached because a vendor they've never heard of left VPN credentials exposed or an unpatched React app sitting in AWS. The LexisNexis breach, the Oracle EBS campaign, and the Conduent incident all demonstrate that attackers have figured out the game: why hack the front door when you can walk through the vendor's back entrance?

For the 118 government employees, federal judges, DOJ attorneys, and SEC staff whose information was exposed in the LexisNexis breach, the damage is already done. Their names, emails, phone numbers, and job functions are now in the hands of whoever downloaded FulcrumSec's 2GB dump. That's the kind of intelligence that can fuel spear-phishing campaigns, social engineering attacks, and targeted espionage for years to come. LexisNexis can offer credit monitoring and identity restoration services, but those are band-aids on a bullet wound. The real question is whether the company will fundamentally rethink its security posture — or just wait for the next breach to force its hand.