-
Extortion group FULCRUMSEC alleges to have breached LexisNexis, pulling 2.04 GB of structured data straight from the company’s AWS infrastructure.
-
The hijacked data allegedly contains accounts of government officials, enterprise records in millions, as well as plaintext AWS confidential files.
-
LexisNexis has not openly confirmed or denied the event at the time of writing.
LexisNexis, the authorized information provider of RELX Group, an $80 billion firm that recorded an annual revenue of $9.7 billion last year and gives jobs to approximately 16,700 individuals, is now looking into a critical claimed data breach.
The extortion group FULCRUMSEC says it exploited a vulnerable React container running under a task role, which handed it entry into the company’s 17 VPC directories, production Redshift data hub, the Qualtrics survey platform, and Manager of AWS Secrets.
FULCRUMSEC published what it describes as the complete exfiltrated dataset, 2.04 GB of structured data. The bad actors also stated clearly that this hit is different from the 2024 LexisNexis incident that resulted in a class action legal repercussion.
FULCRUMSEC Claims Full Access to Production Systems
FULCRUMSEC says it pulled 536 Redshift tables and over 430 VPC database tables from what it identifies as LexisNexis’s Legal Data Warehouse, a live production Redshift cluster holding 261 unique tables across 536 schemas. The group claims it retrieved every last one of them.
The most alarming piece of the alleged exfiltration is the full contents of AWS Secrets Manager, 53 secrets sitting in plaintext. FULCRUMSEC describes these as production directory master passwords, API keys, as well as tokens. Effectively, the keys to the entire operation.
The Enterprise Data Warehouse, reportedly holding 3,909,708 records across 14 tables, also allegedly landed in the group’s hands. The largest table labeled auth stores over two million records that map every LexisNexis customer to their licensed products across 320 product lines. A second table holds 805,005 records, roughly 400,000 of which carry full names, email addresses, phone numbers, and job functions.
FULCRUMSEC also flagged four access control fields within that same table, governing which users can unmask Social Security Numbers, dates of birth, driver’s licence numbers, and Federal Employer Identification Numbers. Those flags, the group points out, reveal exactly who inside the system holds the most sensitive data access.
Government Accounts and Client Records Caught in the Crossfire
Among the approximately 400,000 cloud user profiles FULCRUMSEC claims to have stolen, the group flagged 118 accounts tied to .gov email addresses. FULCRUMSEC identifies these as belonging to DOJ attorneys, federal judges, law clerks of the federal court, and SEC staff.
Beyond individual users, FULCRUMSEC also claims it seized 21,042 customer profile records spanning law agencies, insurance companies, government agencies, and universities — what it describes as the company’s complete client roster. The group adds that it grabbed 300,564 agreement records, mapping each customer to their contract dates, subscribed products, pricing tiers, and renewal status.
The alleged exfiltration goes further still. FULCRUMSEC says it also took 5,582 attorney survey responses paired with IP addresses, 45 employee password hashes, and 10,000 IT support tickets — several of which apparently stored customer passwords in plaintext directly within the subject lines. Another 10,000 internal engineering defect records reportedly rounded out the haul.
This level of exposure echoes what happened to BreachForums, the notorious hacking forum where 324,000 user records were recently leaked, a reminder that in today’s threat landscape, data is the currency of crime, and everyone’s vault can be cracked.
LexisNexis Sells Cybersecurity Services: Yet Allegedly Left Its Own Door Open
LexisNexis runs two major divisions. Its Legal & Professional arm, led by CEO Mike Walsh, generates around $3.2 billion in revenue and serves major law firms, the US federal judiciary, the DOJ, and the SEC. Its Risk Solutions division, led by CEO Mark Kelsey, pulls in roughly $2.9 billion selling data analytics, identity verification, and cybersecurity risk assessment to banks, insurers, and government agencies.
FULCRUMSEC didn’t let that irony slide. The group stated that LexisNexis actively sells cybersecurity risk assessment services to its clients, while allegedly leaving its own React application unpatched for months after the React2Shell vulnerability went public, and failing to secure its own AWS environment in the process. LexisNexis has not come out to confirm or deny the breach at the time of writing.
