LexisNexis: 400K Users Exposed Including Federal Judges Hardcoded Password

• .What: Exploitation of unpatched React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) combined with hardcoded password "Lexis1234" and overprivileged ECS task role to exfiltrate 2.04 GB from AWS infrastructure.
• .Who: LexisNexis Legal & Professional (subsidiary of RELX Group). 400,000 user profiles, 21,042 enterprise accounts, 118 federal government personnel including judges, DOJ attorneys, SEC staff, and law clerks.
• .How: React2Shell RCE into AWS container, then lateral movement via overprivileged ECS task role with unrestricted Secrets Manager read access. Hardcoded password "Lexis1234" reused across five systems.
• .Data: 400,000 user profiles (names, emails, phones, job functions), 21,042 customer accounts with contract details, 53 plaintext AWS secrets (GitHub tokens, Azure DevOps credentials, Databricks tokens, Salesforce client secrets, Looker/Tableau keys), 45 employee password hashes, 82,683 customer support tickets (some containing passwords in plaintext), 5,582 attorney survey respondents, 300,000+ customer contract records with pricing and renewal dates, and complete VPC infrastructure maps.
• .Actor: FULCRUMSEC - published a 4,000-word manifesto and leaked data on BreachForums and their own leak site. Motivation appears financial and reputational (public humiliation of security failures).
• .Impact: Second RELX breach in under 12 months. Federal judiciary contact exposure raises national security concerns. Class action lawsuit investigation initiated. RELX subject to SEC disclosure obligations under Item 1.05 of Form 8-K.

On February 24, 2026, FULCRUMSEC gained initial access to LexisNexis Legal & Professional's AWS infrastructure by exploiting CVE-2025-55182 - a critical unsafe deserialization vulnerability in React Server Components' Flight protocol, publicly known as React2Shell.

The vulnerability carries a CVSS v3 score of 10.0 and a CVSS v4 score of 9.3. It allows an unauthenticated attacker to achieve remote code execution through a single malicious HTTP request by sending malformed data that tricks the server into interpreting it as legitimate commands.

The flaw had been publicly disclosed in early December 2025. CISA added it to the Known Exploited Vulnerabilities catalog on December 5, 2025. Microsoft, AWS, Google Cloud, Palo Alto Unit 42, Trend Micro, Wiz, Cloudflare, Sophos, Elastic, and Qualys all published advisories and detection guidance.

LexisNexis did not patch their React frontend application for nearly three months.

After achieving code execution inside a React container, FULCRUMSEC discovered that the container ran under an ECS task role named "LawfirmsStoreECSTaskRole" - and that this role had been granted sweeping read permissions.

The role could access the production Redshift data warehouse (536 tables), 17 VPC databases (430+ tables), the entire AWS Secrets Manager vault (53 secrets), and the Qualtrics survey platform. No segmentation existed between development and production secret access.

A single compromised container provided keys to the entire kingdom.

The attacker then extracted 53 plaintext entries from AWS Secrets Manager. These were not limited to database credentials - they included GitHub tokens, Azure DevOps credentials, Databricks tokens, Salesforce client secrets, and Looker and Tableau analytics keys.

Among these secrets, the attacker found the RDS master password: "Lexis1234." This same password appeared across at least five different secret entries - the RDS master credential, the Aurora credential, the DigitalPlatform database, the development services configuration, and the AnalyticsDataTool.

A single, trivially guessable, hardcoded password controlled access to the most sensitive production databases in the environment.

With full database access, FULCRUMSEC exfiltrated 2.04 GB of structured data encompassing 3.9 million database records. On March 3, 2026, the threat actor posted a nearly 4,000-word manifesto on BreachForums and their own leak site alongside a link to the exfiltrated data.

FULCRUMSEC is a threat actor that maintains a dedicated leak site and has posted on BreachForums.

The group explicitly distinguished this 2026 breach of LexisNexis Legal & Professional from the prior December 2024 breach of LexisNexis Risk Solutions, indicating operational awareness of RELX's corporate structure.

The manifesto was technically detailed - referencing specific IAM role names, ECS task configurations, Redshift table counts, and Secrets Manager entries - lending credibility to the claims.

FULCRUMSEC's motivation appears to be a combination of financial gain and public humiliation of what they characterized as negligent security practices at a company that profits from selling data intelligence.

Attribution confidence: confirmed (self-claimed with verifiable technical evidence).

• .400,000 user profiles - full names, email addresses, phone numbers, job functions, and professional titles for cloud platform users
• .21,042 enterprise customer accounts - law firms, government agencies, universities, and insurance companies, including product usage data, contract terms, pricing, and renewal dates
• .300,000+ customer contract records revealing commercial terms and renewal schedules - competitively sensitive information
• .118 profiles linked to .gov email addresses - federal judges, U.S. Department of Justice attorneys, SEC enforcement staff, and law clerks
• .53 AWS Secrets Manager entries in plaintext - including GitHub tokens, Azure DevOps credentials, Databricks tokens, Salesforce client secrets, Looker and Tableau analytics keys, and production database master credentials
• .45 employee password hashes
• .82,683 customer support tickets - some containing customer passwords in plaintext
• .5,582 attorney survey respondents with associated data
• .536 Redshift tables and 430+ VPC database tables - complete data warehouse contents
• .Complete VPC infrastructure maps exposing internal network architecture

The exposure of federal judiciary contact information is the most consequential element of this breach. Federal judges handling organized crime, national security, and terrorism cases rely on confidentiality of their personal contact information.

The Judicial Security Improvement Act of 2007 and the Daniel Anderl Judicial Security and Privacy Act of 2022 (named after the son of U.S. District Judge Esther Salas, who was murdered in 2020 by a litigant who found her home address online) specifically restrict public access to federal judges' personal information.

LexisNexis - a company that profits from aggregating personal data - exposed the very individuals these laws were designed to protect.

" However, the exposed data includes business contact details, professional roles, organizational affiliations, and infrastructure secrets that enable further attacks - on both the individuals and the systems.

1. Unpatched critical vulnerability for three months. CVE-2025-55182 was disclosed in early December 2025, added to CISA's KEV catalog on December 5, and had patches, advisories, and detection rules available from every major security vendor.

LexisNexis left a CVSS 10.0 RCE vulnerability unpatched in a public-facing React frontend for nearly 90 days. This is not a zero-day - it is a failure to patch a known, actively exploited, maximum-severity vulnerability with available fixes.

2. Overprivileged ECS task role. The "LawfirmsStoreECSTaskRole" ECS task role had read access to the production Redshift data warehouse, 17 VPC databases, the entire AWS Secrets Manager vault, and the Qualtrics survey platform. This violates the principle of least privilege.

A container serving a React frontend should not have access to production databases, secrets, or analytics infrastructure. AWS IAM best practices explicitly recommend scoping task roles to the minimum permissions required.

3. Hardcoded password reused across five systems. The RDS master password was "Lexis1234" - a trivially guessable, human-readable string that appeared in at least five separate secret entries (RDS, Aurora, DigitalPlatform, development services, AnalyticsDataTool).

This indicates no password rotation policy, no complexity enforcement, and no separation between development and production credentials.

4. No secrets segmentation. All 53 secrets were accessible from a single ECS task role. There was no segmentation between development, staging, and production secrets. No resource-level IAM policies restricted which secrets a given role could retrieve.

A single compromised workload could read every credential in the account.

5. No anomaly detection on bulk data access. The attacker queried 536 Redshift tables and 430+ VPC database tables, extracting 3.9 million records totaling 2.04 GB. No data loss prevention, no query anomaly detection, and no exfiltration alerting triggered during this activity.

AWS CloudTrail, GuardDuty, and Macie provide native capabilities for detecting exactly this pattern.

6. Legacy data retention without purpose limitation.

LexisNexis acknowledged the breached data was "mostly legacy, deprecated data from prior to 2020." If the data was deprecated and no longer needed for business purposes, it should have been deleted under data minimization principles.

Retaining six-year-old data in accessible production databases without business justification expands the blast radius of any breach.

• .SEC Disclosure (Item 1.05 of Form 8-K) - RELX is listed on the NYSE (RELX), London Stock Exchange, and Euronext Amsterdam. The SEC's cybersecurity incident disclosure rule mandates that public companies file an Item 1.05 Form 8-K within four business days of determining an incident is "material." Given this is the second breach of a RELX subsidiary in under 12 months, materiality determination is particularly scrutinized.

• .CCPA/CPRA (California Civil Code 1798.100 et seq.) - While LexisNexis states no SSNs or financial data were exposed, the breach includes email addresses, phone numbers, and professional information of California residents. Under CCPA, "personal information" includes professional or employment-related information. Fines of $7,500 per intentional violation for failure to implement reasonable security measures.

• .State Breach Notification Laws - Business contact information combined with user credentials (45 employee password hashes, support tickets containing plaintext passwords) may trigger notification obligations depending on state-specific definitions of personal information. Multiple states define "personal information" broadly enough to encompass email addresses combined with passwords or security questions.

• .FTC Act Section 5 - The FTC has brought enforcement actions against companies for unfair or deceptive data security practices. A company that sells data intelligence products while maintaining a hardcoded password of "Lexis1234" across five production systems faces a credible argument of unfair practices. The FTC's 2023 consent decree with Drizly (CTO personally named) and its actions against data brokers set relevant precedent.

• .GDPR (Regulation 2016/679) - RELX operates in 40 countries and serves customers in 180+ nations, including EU member states. LexisNexis Legal & Professional serves European law firms and government agencies. Article 5(1)(f) requires "appropriate security" of personal data. Article 32 mandates technical measures "appropriate to the risk." A CVSS 10.0 vulnerability left unpatched for three months, a hardcoded password of "Lexis1234," and an overprivileged ECS task role fall catastrophically short of "appropriate." Fines up to EUR 20M or 4% annual global turnover - approximately EUR 440M based on RELX's GBP 9.4B (approximately EUR 11B) revenue.

• .UK GDPR / DPA 2018 - LexisNexis has significant operations in the United Kingdom. Same analysis as GDPR. ICO enforcement; fines up to GBP 17.5M or 4% annual turnover.

• .Judicial Security Implications - The exposure of 118 federal judiciary profiles implicates the Daniel Anderl Judicial Security and Privacy Act of 2022, which restricts the dissemination of personally identifiable information of federal judges. While this law primarily targets data brokers' voluntary dissemination rather than breach liability, the irony is acute: LexisNexis is itself one of the largest data brokers in the world, and its own security failure exposed the judges these laws protect.

• .Gramm-Leach-Bliley Act (GLBA) - LexisNexis Risk Solutions (the sibling division breached in December 2024) provides identity verification and fraud prevention services to financial institutions. If any data from this breach intersects with financial institution client relationships, the Safeguards Rule's requirements for information security programs apply.

1. Emergency Patch Management for Critical Vulnerabilities - CVE-2025-55182 was CVSS 10.0, in CISA's KEV catalog, and had patches available for three months.

Organizations must have a process to deploy emergency patches for actively exploited, maximum-severity vulnerabilities within days - not months. CISA's BOD 22-01 mandates federal agencies remediate KEV entries within specific timelines.

Private organizations should adopt the same discipline.

2. Least-Privilege IAM for Workload Identities - The ECS task role should have been scoped to the minimum permissions required for the React frontend to function. It should not have had read access to Redshift, VPC databases, Secrets Manager, or analytics platforms.

AWS recommends using resource-level IAM policies and condition keys to restrict Secrets Manager access to specific secret ARNs.

3. Eliminate Hardcoded and Static Credentials - "Lexis1234" should never have existed. Production database credentials should be dynamically generated, automatically rotated (AWS Secrets Manager supports automatic rotation for RDS), and never shared across environments.

No human-readable password should appear in any secret store. SAST tools, pre-commit hooks, and secret-scanning pipelines (GitHub Advanced Security, GitLeaks, TruffleHog) would have flagged this.

4. Secrets Segmentation by Environment and Workload - Production, staging, and development secrets must be isolated in separate AWS accounts or, at minimum, behind IAM policies that restrict access by environment.

A development service configuration secret should never be accessible from the same role that reads production database credentials.

5. Data Loss Prevention and Exfiltration Detection - Deploy AWS GuardDuty, Macie, and CloudTrail-based anomaly detection to identify bulk data access patterns.

A single workload querying 536 Redshift tables and extracting 2.04 GB should trigger immediate automated alerts and, ideally, automated circuit-breaker responses.

6. Data Minimization and Retention Enforcement - If the breached data was "mostly legacy, deprecated data from prior to 2020," it should have been deleted years ago. GDPR Article 5(1)(e) and CCPA both require that personal data not be retained longer than necessary.

Implement automated data lifecycle policies that purge deprecated data on schedule.

BleepingComputer, Cybernews, The Register, American Banker, LawNext, CPO Magazine, Cybersecurity News, CyberPress, SC Media, State of Surveillance, Aembit, Paubox, Rescana, Microsoft Security Blog, AWS Security Blog, Google Cloud Blog, Wiz, Palo Alto Unit 42, Trend Micro, Qualys, Elastic, Sophos, Cloudflare, ClassAction.org, Markovits Stock & DeMarco