The company said an outside actor gained access to a limited number of servers. LexisNexis Legal & Professional provides legal research, regulatory information, and analytics tools to lawyers, corporations, government agencies, and universities in more than 150 countries. According to the firm, most of the accessed information came from older systems and was not considered sensitive, which reduced the potential impact.
Internal findings showed that much of the exposed data originated from legacy systems storing information created before 2020. Records included customer names, user IDs, and business contact details. Some files contained product usage information and logs from past support tickets, including IP addresses from survey responses. However, sensitive personal identifiers such as Social Security numbers or driver’s license data were not included. Financial information, active passwords, search queries, and confidential client case data were also not part of the compromised dataset.
The breach reportedly occurred around February 24 after attackers exploited the React2Shell vulnerability in an outdated front-end application built with React. The flaw allowed entry into cloud resources hosted on Amazon Web Services before it was addressed.
While LexisNexis described the affected systems as containing mostly obsolete data, FulcrumSec claimed the intrusion was broader. The group said it extracted about 2.04GB of structured data from the company’s cloud infrastructure, including numerous database tables, millions of records, and internal system configurations.
According to the attacker, the breach exposed more than 21,000 customer accounts and information linked to over 400,000 cloud user profiles, including names, email addresses, phone numbers, and job roles.
Some of the records reportedly belonged to individuals with .gov email addresses, including U.S. government employees, federal judges and law clerks, Department of Justice attorneys, and staff connected to the Securities and Exchange Commission.
FulcrumSec also criticized the company’s cloud security setup, alleging that a single ECS task role had access to numerous stored secrets, including credentials linked to production databases. The group said it attempted to contact the company but claimed no cooperation occurred.
LexisNexis stated that the breach has been contained and confirmed that its products and customer-facing services were not affected. The company notified law enforcement and engaged external cybersecurity experts to assist with investigation and response.
Customers, both current and former, have also been informed about the incident. The company had disclosed another breach last year after a compromised corporate account exposed data belonging to roughly 364,000 customers.
The latest case highlights how vulnerabilities in cloud applications and outdated software can expose enterprise systems even when they contain primarily legacy information.
