Hackers claim to have breached systems belonging to LexisNexis, a global provider of legal and data analytics services, exposing internal records linked to hundreds of thousands of user accounts, including government-affiliated email addresses.
The alleged breach was published online by a threat actor calling itself FulcrumSec, which released a dataset said to contain roughly 3.9 million database records. According to the claim, the data includes profile information tied to about 400,000 users as well as records connected to enterprise customers such as law firms, universities, corporations, and government agencies.
Some of the records reportedly include email addresses associated with United States government domains. The dataset allegedly references accounts linked to courts and federal agencies, including judges, Department of Justice attorneys, and other public sector staff.
The attackers said they gained access to the company’s cloud environment hosted on Amazon Web Services by exploiting a vulnerability in an unpatched React application. According to the claims, the flaw provided entry into the environment, where attackers were able to obtain database credentials and access internal systems.
The leaked data is described as about 2.04 GB of structured information. It allegedly includes enterprise customer accounts, internal support records, system credentials, and information describing how clients use various LexisNexis products. The dataset also reportedly contains agreement records that map customers to subscription services and contract details.
Security researchers cited in the report said that the compromise may have involved overly permissive access roles within the cloud infrastructure, which allowed the attackers to retrieve credentials stored in systems such as AWS Secrets Manager. The threat actor also claimed that dozens of plaintext credentials were accessible in the environment.
LexisNexis confirmed that an unauthorized party accessed a limited number of its servers but said the exposed data consisted largely of older or noncritical information. The company said the affected systems contained legacy data from before 2020, including user identifiers, customer contact information, product usage details, support tickets, and survey responses.
The company also stated that highly sensitive data such as Social Security numbers, bank account information, credit card numbers, and active passwords were not accessed. Customer search queries, legal case data, and client matter information were also not part of the compromised systems, according to the company.
LexisNexis said it has contained the incident, engaged external cybersecurity investigators, and reported the breach to law enforcement authorities. The company is continuing to review the scope of the incident and notify affected customers where appropriate.
The threat actor posted the dataset on underground forums along with a message criticizing the company’s security practices. It remains unclear whether the attackers are a newly formed group or an existing operator using a new alias.