LexisNexis Legal & Professional is facing scrutiny following the confirmation of a data breach that has revealed sensitive information belonging to its users. As reported by BleepingComputer and TechRadar, the cybersecurity incident involved a threat actor named FulcrumSec, which claims to have accessed more than 3.9 million internal records by exploiting the React2Shell vulnerability. This flaw in an unpatched React frontend application allegedly allowed FulcrumSec to progress within a React container with access to numerous sensitive data repositories.
The exposed information reportedly includes plaintext login credentials and profile data associated with approximately 400,000 users. Further complicating matters, FulcrumSec alleges that data involving more than 100 users with .gov email addresses has been compromised, encompassing individuals working as federal judges, law clerks, U.S. Department of Justice attorneys, and SEC staff.
In response, LexisNexis confirmed the breach but attempted to mitigate concerns by stating that the information obtained was largely legacy data from before 2020, including customer names, user IDs, and business contact details, while assuring that Social Security numbers, driver’s license numbers, financial information, active passwords, or customer search queries were not exposed. The company emphasized that the breach was contained without impacting its products or services.
The breach has drawn frustrations from FulcrumSec, who criticized LexisNexis’ security practices, highlighting the reuse of inadequate passwords such as “Lexis1234.” The hackers reportedly sought contact with the company, potentially for ransom negotiations, but LexisNexis chose not to engage.
Security analysts warn that while LexisNexis has taken steps following the breach, the exposed credentials, particularly those linked to government users, present long-term risks such as phishing and social engineering attacks. The company has involved law enforcement and contracted an external forensics firm to further evaluate the impact.
This incident follows a previous breach in 2025 when another party exploited a third-party platform, underscoring ongoing concerns about LexisNexis’ cybersecurity resilience. FulcrumSec has stated that this latest breach is not linked to the prior incident.