Hackers Crack LexisNexis Cloud Wide Open: 2GB of Legal & Gov Secrets Dumped
FulcrumSec just owned LexisNexis’s AWS setup, swiping 2.04 GB of juicy data from law firms and government clients worldwide.[1][5] They exploited an unpatched React app vuln called React2Shell, then rode misconfigured IAM roles and a laughable hardcoded password (“Lexis1234”) to escalate and exfil everything.[1]
Tech breakdown: Attack kicked off Feb 24 via that React2Shell flaw in a front-end app—zero-day style until patched elsewhere.[1] Attackers mapped the full VPC, grabbed 21K+ enterprise accounts, 400K user profiles with contacts, and intel on US federal judges and DOJ lawyers.[1] LexisNexis calls it “legacy” pre-2020 stuff, no SSNs, but it’s still a goldmine for phishers and spies. They’ve locked it down, called cops, and hired forensics pros—this is RELX’s second big oof in a year.[1]
So What? Devs and sec teams: If you’re on AWS or any cloud, audit those IAM perms now—overly broad roles are hacker catnip. Patch React apps religiously; React2Shell proves front-ends are prime entry points. For legal/gov shops hooked on LexisNexis, kiss supply chain trust goodbye—expect spear-phish waves using leaked contacts. This screams: Vet vendors like your job depends on it, ’cause it does.[1]
My take: LexisNexis got sloppy on basics any junior dev knows—hardcoded creds? In 2026? Pathetic. Wake-up call for Big Data suppliers: Your screw-ups torch your clients’ reps. Time to level up or get left in the dust.[1]
