LexisNexis Legal & Professional AWS Breach and FulcrumSec Data Leak
LexisNexis Legal & Professional confirmed that an unauthorized party accessed a limited number of its servers after a threat actor using the alias FulcrumSec leaked roughly 2 GB of allegedly stolen files on underground forums. LexisNexis stated the exposed information was mostly legacy/deprecated data from prior to 2020 (e.g., customer names, user IDs, business contact details, products used, customer survey data including respondent IP addresses, and support tickets) and said it found no evidence of impact to products or services; the company reported the matter to law enforcement and engaged an external forensics firm.
FulcrumSec claimed the intrusion began by exploiting the React2Shell vulnerability in an unpatched React frontend application to gain access to LexisNexis’ AWS environment, and alleged broader access within cloud resources (including an ECS task role and data stores) and the presence of government-related accounts (e.g., .gov email addresses) in the stolen dataset. Public reporting notes a discrepancy between the actor’s claims (e.g., “millions of records,” passwords, and other internal artifacts) and LexisNexis’ characterization of the exposed data as limited and non-sensitive (no SSNs, financial data, active passwords, or customer search queries), but multiple outlets corroborated that the leaked files are tied to a real, now-contained incident affecting LexisNexis’ Legal & Professional division.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
LexisNexis confirms contained breach and notifies customers and law enforcement
LexisNexis Legal & Professional confirmed that attackers accessed a limited number of servers containing mostly legacy or deprecated pre-2020 data and said the incident had been contained with no evidence of impact to products or services. The company said it engaged an external forensics firm, notified law enforcement, and informed affected current and former customers, while stating that highly sensitive data such as Social Security numbers, financial data, and active passwords were not exposed.
FulcrumSec leaks purported LexisNexis data on underground forums
After the intrusion, FulcrumSec publicly posted or advertised roughly 2 GB of purported LexisNexis data on cybercrime forums, claiming the dump contained millions of records, including customer and business information. The leak prompted public scrutiny and media reporting about the scope of the alleged compromise.
FulcrumSec allegedly breaches LexisNexis via React2Shell exploit
Multiple reports say the threat actor FulcrumSec claimed initial access to LexisNexis Legal & Professional on February 24, 2026 by exploiting an unpatched React frontend application, leading to access to the company's AWS environment. The actor alleged it could reach Redshift, VPC databases, Secrets Manager, and other cloud assets and exfiltrate about 2.04 GB of data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability
techrepublic.com
Open sourceLexisNexis Legal & Professional confirms data breach after React2Shell exploit | brief | SC Media
scworld.com
Open sourceLexisNexis Legal & Professional confirms data breach • The Register
go.theregister.com
Open sourceLexisNexis Legal & Professional confirms data breach • The Register
theregister.com
Open sourceLexisNexis Data Breach - Threat Actor Allegedly Claims 2.04 GB Stolen
cybersecuritynews.com
Open sourceLexisNexis says hackers accessed legacy data in contained breach | The Record from Recorded Future News
therecord.media
Open sourceLexisNexis confirms data breach as hackers leak stolen files
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
FulcrumSec Claims Arup Breach Exposed GitHub Repos, Cloud Data, and Client Projects
FulcrumSec has claimed responsibility for breaching UK engineering firm Arup Group and stealing large volumes of data, later listing the company on its Tor leak site. According to the threat actor’s account, the intrusion began in September 2025 after attackers found a GitHub personal access token hardcoded in a JavaScript file on a forgotten Arup subdomain, which allegedly opened access to more than 10,000 private repositories and led to additional credentials in code. The group said it exfiltrated about **700GB of GitHub repositories**, **2TB of Azure and AWS S3 data**, database backups, source code, and other internal material before credentials were rotated. The stolen data allegedly included sensitive information tied to major clients and infrastructure projects, including HS2-related repositories, Euston Station design files, archaeological GPS coordinates, Neuron BMS and Odoo ERP data, Apple code-signing certificates with plaintext passwords, and GCP payment gateway credentials. FulcrumSec said Arup detected parts of the intrusion roughly six weeks after initial access but that the attackers retained visibility into the environment for months, analyzing the haul before contacting the company in April 2026. The incident underscores the downstream risk posed by hardcoded secrets, forgotten internet-facing assets, delayed credential rotation, and weak monitoring of source-code and cloud environments.
Jun 10, 2026
Dark Web Leak Claims Target Multiple Organizations, Including Salesfloor and Republic
Dark web monitoring reports surfaced multiple **alleged data leaks** affecting unrelated organizations, with several listings offering databases for sale or direct download. Reports claim **Republic (republic.com)** user data (~4.94M users) was listed for sale for **$2,400**, allegedly including names, emails, physical addresses, and phone numbers. Separate dark web listings also alleged exposure of **rueducommerce.fr** user data (linked in reporting to **Carrefour**) totaling ~2.17M records with similar PII, as well as alleged leaks involving **Dunzo** (~3.4M records) and **Menulux** (~93K records). Additional reporting highlighted a historical breach dataset for the **YouHack** forum (2013; ~107K users) containing usernames, emails, passwords, IPs, posts, and private messages, and a smaller exposure tied to **buylottoonline.com** (~38.5K email records). One of the most consequential claims involved **Salesfloor / People Powered E-Commerce (salesfloor.net)**, attributed in reporting to **LAPSUS$**, alleging theft of roughly **4 TB uncompressed** (1 TB compressed) data including **source code, logs, and customer information**, with potential downstream impact to retail brands using the platform. Separately from the dark-web-leak theme, other items in the set describe distinct vulnerability-driven risks rather than breach listings: **Zoom Node MMRs** command injection (**CVE-2026-22844**, CVSS 9.9) enabling arbitrary code execution in certain hybrid meeting deployments; **SmarterMail** auth bypass (**CVE-2026-23760**) enabling admin password reset via `force-reset-password` and potential RCE; **Vite** improper access control (**CVE-2025-31125**) enabling sensitive file exposure via query parameters such as `?inline&import` / `?raw&import` (noted as added to CISA KEV); and **Appsmith** password-reset token exposure (**CVE-2026-22794**) enabling account takeover, with internet-exposed instances identified via Shodan and remediation via upgrade to *Appsmith* 1.93. These vulnerability reports are separate from the dark web leak claims and should be tracked as independent patching priorities rather than as part of a single breach event.
Mar 21, 2026
Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Mar 21, 2026