Overview
- LexisNexis says hackers accessed a limited number of servers that stored mostly deprecated, pre‑2020 information.
- The company reports no exposure of Social Security or driver’s license numbers, financial data, active passwords, search queries, client or matter information, or customer contracts.
- LexisNexis says the incident is contained, its products and services were unaffected, and it has notified law enforcement and engaged an external forensics firm.
- FulcrumSec claims initial access on February 24 through the React2Shell vulnerability and says it exfiltrated millions of records and AWS secrets, including roughly 400,000 user profiles and more than 100 government‑affiliated accounts.
- The scale and contents of the data dump remain unverified, and security researchers warn that any exposed credentials and contact details could enable targeted phishing and social‑engineering attacks.