On March 3-4, 2026, LexisNexis Legal & Professional confirmed a data breach after threat actor FulcrumSec published stolen data on underground forums. The breach, which originated on February 24, 2026, exploited a chain of vulnerabilities in the company's AWS cloud infrastructure.
Attack Chain
According to Security Boulevard and BleepingComputer, the attack followed this progression:
- Initial access via the React2Shell vulnerability (CVE-2025-55182) in an unpatched React frontend application
- Privilege escalation through an over-permissive AWS ECS task role that granted access to all AWS Secrets Manager entries
- Credential harvesting — 53 plaintext secrets discovered, including a hardcoded password ("Lexis1234") reused across five different secret entries spanning RDS, Aurora, and development databases
Data Exposed
CyberNews and The Register reported the following data was exfiltrated:
| Data Category | Volume |
|---|---|
| Total structured data exfiltrated | 2.04 GB |
| Database records | 3.9 million |
| Redshift tables accessed | 536 |
| VPC database tables | 430+ |
| Cloud user profiles (with PII) | ~400,000 |
| Customer account records | 21,042 |
| US government employee records (.gov) | 118 |
| Plaintext AWS secrets | 53 |
The 118 government profiles included federal judges, DOJ attorneys, federal court law clerks, probation officers, and SEC staff.
LexisNexis Response
LexisNexis stated the matter was "now contained" and that the compromised data was "mostly legacy, deprecated data from prior to 2020." The company confirmed that no Social Security numbers, credit card numbers, or bank account information were exposed. Third-party digital forensics and law enforcement were engaged.
Context
The breach illustrates a textbook cloud security failure: a single over-permissive IAM role combined with hardcoded credentials turned a web application vulnerability into full infrastructure compromise. For organisations managing AWS environments, this is a direct reminder that IAM least-privilege (ISO 27001 Annex A control 8.2) and secrets management (control 8.4) are not optional hygiene — they are the primary blast radius controls.