Full Report
American data analytics company LexisNexis Legal & Professional has confirmed to BleepingComputer that hackers breached its servers and accessed some customer and business information. [...]
Analysis Summary
# Incident Report: Compromise of LexisNexis AWS Infrastructure via React2Shell Vulnerability
## Executive Summary
In late February 2026, the threat actor "FulcrumSec" exploited a critical vulnerability in an unpatched React frontend application to breach the AWS infrastructure of LexisNexis Legal & Professional. The attackers exfiltrated approximately 2GB of data, including customer account records, database tables, and plaintext secrets from AWS Secrets Manager. LexisNexis has since contained the incident and states the exfiltrated data was largely legacy information from prior to 2020.
## Incident Details
- **Discovery Date:** Late February 2026
- **Incident Date:** February 24, 2026
- **Affected Organization:** LexisNexis Legal & Professional
- **Sector:** Data Analytics / Legal Services
- **Geography:** United States / Global
## Timeline of Events
### Initial Access
- **Date/Time:** February 24, 2026
- **Vector:** Exploitation of unpatched software.
- **Details:** Attackers exploited the "React2Shell" vulnerability in an unpatched React frontend application running in a containerized environment.
### Lateral Movement
- **Details:** Upon gaining entry via the vulnerable container, the threat actor leveraged overly permissive IAM roles (ECS task roles). This allowed them to move from the frontend container to backend services, including AWS Secrets Manager and various VPC databases.
### Data Exfiltration/Impact
- **Details:** The threat actor exfiltrated 2.04 GB of structured data. This included 3.9 million database records, 21,042 customer accounts, and 53 plaintext secrets (including Redshift master credentials). FulcrumSec subsequently leaked this data on underground forums.
### Detection & Response
- **Discovery:** The incident was identified after the threat actor contacted LexisNexis and subsequently posted the stolen data online.
- **Response actions taken:** LexisNexis initiated an investigation, engaged third-party cybersecurity experts, notified law enforcement, and began notifying affected customers.
## Attack Methodology
- **Initial Access:** Exploitation of React2Shell vulnerability in a React app.
- **Persistence:** Not specifically detailed, but involved access to AWS Secrets Manager.
- **Privilege Escalation:** Exploitation of an over-privileged ECS task role that granted access to production secrets.
- **Defense Evasion:** Not detailed; likely bypassed by using legitimate but over-privileged cloud credentials.
- **Credential Access:** Stole 53 secrets in plaintext from AWS Secrets Manager and 45 employee password hashes.
- **Discovery:** Complete VPC infrastructure mapping and discovery of 536 Redshift tables.
- **Lateral Movement:** Cloud-based movement from web containers to database infrastructure.
- **Collection:** Gathering 2.04 GB of structured data from databases.
- **Exfiltration:** Transfer of 3.9M records and 2.04 GB of data to attacker-controlled infrastructure.
- **Impact:** Unauthorized data disclosure and reputational damage.
## Impact Assessment
- **Financial:** Not disclosed; includes costs for forensics, legal notifications, and potential regulatory fines.
- **Data Breach:** 2.04 GB of data; 3.9M records; 21k customer accounts; includes data on U.S. government employees (DOJ, SEC, Federal Judges).
- **Operational:** No reported impact on active products or services.
- **Reputational:** High; public criticism regarding security practices and the second breach involving customer data within a year.
## Indicators of Compromise
- **Network indicators:** None specific provided in report; monitor for unusual egress to known leak sites.
- **File indicators:** leaked_data_lexisnexis[.]zip (2.04 GB).
- **Behavioral indicators:** Unusual API calls from ECS tasks to AWS Secrets Manager; unauthorized access to Redshift master credentials from non-dba roles.
## Response Actions
- **Containment measures:** Isolation of the vulnerable React container and rotation of compromised secrets.
- **Eradication steps:** Patching the React2Shell vulnerability and auditing IAM roles.
- **Recovery actions:** Implementation of enhanced monitoring and notification of affected parties.
## Lessons Learned
- **Patch Management:** Unpatched frontend frameworks (React) can serve as entry points to deep backend infrastructure.
- **Least Privilege:** Over-privileged ECS task roles allowed a single vulnerability to compromise the entire AWS account's secrets.
- **Legacy Data Risks:** Retaining deprecated data (pre-2020) provides unnecessary "low-hanging fruit" for attackers to weaponize in leaks.
## Recommendations
- **IAM Audit:** Implement the Principle of Least Privilege (PoLP) for all AWS ECS task roles; ensure containers only have access to the specific secrets they require.
- **Vulnerability Scanning:** Integrate automated SCA (Software Composition Analysis) to detect vulnerable dependencies like React2Shell in CI/CD pipelines.
- **Secret Management:** Use scoped IAM policies for AWS Secrets Manager to prevent a single role from reading all secrets in an account.
- **Data Lifecycle Management:** Securely delete or archive legacy/deprecated data to reduce the impact of potential breaches.