LexisNexis Data Breach: Salesforce Credentials Exposed in ‘3.9M Record Hack’


Hackers have allegedly exfiltrated more than 3.9M internal records linked to around 400,000 users from legal data company LexisNexis.

A relatively unknown hacking group, known as FulcrumSec, reportedly posted around “2.04GB of structured data” online after extracting the database records from LexisNexis cloud environments, including Salesforce, Amazon Web Services (AWS), and Oracle. 

What Data Was Compromised?

LexisNexis is a global provider of legal, regulatory, and business information, which is understood to work with around 91% of Fortune 100 companies and 85% of Fortune 500 companies.

The company, based in Atlanta, was founded in 1970 and has 40 offices, 11,000 employees, and customers in more than 180 countries and territories.

The breach is said to expose data connected to law firms, courts, regulators, and federal agencies, along with details of how LexisNexis manages cloud credentials, customer agreements, and internal systems, according to Cyber News. 

More than 21,000 enterprise customer accounts are included in the cache, including law firms, corporate clients, and government agencies, reports say. 

It is understood that dozens of unencrypted system credentials were also exposed, as well as more than 300,000 agreement records mapping customers to products that they subscribe to and key details like contract dates, pricing tiers, and renewal statuses. 

Ross Filipek, CISO at Corsica Technologies, said that the breach came down to an unpatched React app and a single ECS task role “with read access to every secret in the account”. Filipek added: “Once attackers were in, they had a straight path to production database credentials, 53 secrets in plaintext, and a complete map of the VPC infrastructure.”

Hackers claimed to have compromised 118 accounts linked to US government email domains. That number is said to include three US federal judges and four Department of Justice attorneys.

In a post on BreachForums, made by the threat actor FulcrumSec, the author writes: “We exfiltrated 2.04 GB of structured data from LexisNexis AWS infrastructure… via a vulnerable React container.” 

The poster claimed to have accessed:

  • 536 Redshift tables. 
  • 430+ VPC database tables. 
  • Complete AWS Secrets Manager with 53 secrets. 
  • 3.9 million database records. 
  • Approximately 400,000 cloud user profiles with real names, emails, phone numbers, and job functions – including 118 users with .gov email addresses.
  • Credentials for services including Salesforce ETL systems, Oracle databases, and analytics platforms.
  • A number of API tokens and development access keys.

FulcrumSec claims that LexisNexis’s RDS master password was ‘Lexis1234’. 

LexisNexis told Cyber News that an “unauthorized party accessed a limited number of servers,” but the company added that its investigation found “no evidence of compromise or impact to our products and services”.

A LexisNexis spokesperson did confirm a breach took place, but said the stolen data was not up-to-date. They wrote in a help site post on March 4 that the company investigated “a security matter” and, based on the investigation and testing, they believe the matter is “contained”. 

The spokesperson continues: “We have no evidence of compromise of or impact to our products and services. We engaged a preeminent cybersecurity forensic firm to assist in our investigation and response and have reported this issue to law enforcement.”

LexisNexis said that their investigation confirmed that an unauthorized party accessed a “limited number of servers”, but these servers contained “mostly legacy, deprecated data” from before 2020. 

This data includes customer names, user IDs, business contact information, products used, customer surveys with respondent IP addresses, and support tickets, LexisNexis said.

The company stresses that the impacted information did not contain Social Security numbers, driver’s license numbers, or “any other sensitive personally identifiable information”.

Credit card, bank accounts, or any other financial information was not affected, or active passwords, customer client or matter information, or customer contracts.

The LexisNexis spokesperson said the company has informed impacted customers and are continuing to investigate. They have implemented “containment and remediation steps, in coordination with our expert cybersecurity forensic firm”, they added. 

A Salesforce spokesperson told SF Ben: “As a matter of policy, Salesforce does not comment on specific customer issues. We have no indication at this time that this issue was caused by any vulnerability in our platform.”

Summary

At first glance, this story seems like more bad news for Salesforce, given yet another customer data breach. But with the nature of this compromise being so different from the series of breaches in 2025, it’s perhaps best to view this latest incident as its own story. 

But in doing so, there is no solace for Salesforce customers. The LexisNexis breach underscores that malicious actors are always looking for new attack vectors. The Scattered LAPSUS$ Hunters shone a bright spotlight on the attack opportunity of Software as a Service. We should expect others in the future, and every Salesforce customer needs to take steps to reduce the likelihood and impact of a future breach. 

READ MORE: Salesforce Data Theft Roundup: Everything You Need to Know 

Leave a Reply

Your email address will not be published. Required fields are marked *