On February 24, a group calling themselves FulcrumSec exploited CVE-2025-55182 (React2Shell) on a LexisNexis Legal & Professional frontend application. React2Shell is an unsafe deserialization flaw in React Server Components, CVSS 10.0, publicly disclosed in December 2025. LexisNexis left it unpatched for nearly three months on an internet-facing application.
From there, the attackers pivoted to a compromised ECS task role. That single role had read access to the production Redshift data warehouse, 17 VPC databases, AWS Secrets Manager, and a Qualtrics survey platform. 53 secrets were accessible in plaintext, including production database master passwords, tokens, and API keys.
FulcrumSec claims the RDS master password was Lexis1234.
What was taken
2 GB of structured data. 536 Redshift tables. 3.9 million Enterprise Data Warehouse records. 400,000 cloud user profiles with full names, emails, phone numbers, and job functions. 21,042 customer account records. 45 employee password hashes. Complete VPC infrastructure mapping.
Among the profiles: 118 users with .gov email addresses. Federal judges. DOJ attorneys. SEC staff. Federal court law clerks.
LexisNexis described it as “mostly legacy, deprecated data from prior to 2020” on “a limited number of servers.” FulcrumSec published 2 GB on their leak site and Telegram channel.
The second breach
This is LexisNexis’s second major breach in under a year. The first, in December 2024, hit the Risk Solutions division through a GitHub-hosted development environment. That one went undetected for over three months and exposed Social Security numbers, dates of birth, and driver’s license numbers for 364,000 people.
Two breaches. Two different entry points. Two different divisions. The same organization. The pattern suggests a systemic governance problem, not isolated incidents.
What this says about data brokers
LexisNexis is not a small company that got unlucky. It is one of the largest data analytics firms in the world, owned by RELX plc, holding data on hundreds of millions of individuals. Its Risk Solutions division sells personal data to US Customs and Border Protection, ICE, insurance companies, and debt recovery firms. Its Legal division serves law firms, courts, and government agencies across 150 countries.
The entity trusted to hold the identities of federal judges and law enforcement personnel had an internet-facing application running a three-month-old CVSS 10.0 vulnerability, an ECS task role with read access to everything, and an alleged database password that could be guessed by a child.
An unpatched critical CVE. An over-permissioned cloud role. A trivial password. Plaintext secrets. Customer passwords stored in IT ticket subject lines. Each one is a known failure mode with known remediation. Together, they paint a picture of an organization where security governance exists on paper but not in the infrastructure.
The GRC angle
LexisNexis already faces a GDPR complaint from NOYB for collecting EU citizens’ data without explicit consent. This breach adds exposure of .gov accounts, potential GDPR fines up to 4% of global revenue, and the reputational question of how a company that sells risk analytics to others managed its own risk so poorly.
FulcrumSec is a data extortion group that does not deploy ransomware. They steal data and sell it to a single buyer. The data from this breach, including government account details and infrastructure mappings, has obvious value to intelligence services. Whether it ends up there is no longer within LexisNexis’s control.