LexisNexis Cloud Hack: Hackers Crack Legal Giant, Spill Judge Data and Cloud Secrets
Hackers under the alias FulcrumSec just punched through LexisNexis’s AWS cloud setup, swiping 2GB of juicy data on law firms, government agencies, and even U.S. federal judges.[1][4] The breach hit on February 24 but got confirmed days ago, exposing how basic screw-ups can torch a supply chain giant.
Diving into the tech guts: Attackers exploited React2Shell, a known vuln in an unpatched React app, then escalated via a super-permissive IAM role and a laughably weak hardcoded DB password—”Lexis1234.”[1] They grabbed 21,000+ enterprise accounts, 400,000 user profiles, VPC maps, 45 employee password hashes, 82k support tickets, and 53 plaintext cloud secrets.[1][4] Legacy data or not, it’s a goldmine for phishers and spies.
So What? Devs and sec teams: If you’re on AWS or any cloud, audit those IAM perms yesterday—overly broad roles are hacker catnip. Patch React apps religiously, ditch hardcoded creds, and treat vendors like LexisNexis as ticking bombs; your legal research tool just became a backdoor for nation-states targeting DoJ attorneys and judges.[1] Supply chain risks aren’t abstract—this is your clients’ data on dark web menus.
My take: LexisNexis’s second breach in a year screams “fire your cloud team,” but the real lesson is zero trust for third-parties. Patch fast, lock IAM tight, or watch your org become the next leak headline.[1]
