Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 04, 2026 · 5 min read

The Company That Stores Every Court Record in America Got Hacked With the Password "Lexis1234"

Hackers exploited an unpatched React vulnerability and a reused master password to breach LexisNexis' AWS infrastructure, stealing 3.9 million records including profiles of federal judges and DOJ attorneys.

LexisNexis Legal & Professional, the company that hosts 119 billion legal documents and serves as the backbone of American legal research, confirmed this week that hackers breached its AWS cloud infrastructure and stole 3.9 million internal records, including profiles of federal judges, Department of Justice attorneys, and SEC staff.

The kicker? The database master password was "Lexis1234." And it was reused five times.

Server room with a slightly open cabinet glowing with indigo light, symbolizing a security breach at a legal data company

How the Breach Happened

On February 24, 2026, a threat actor operating under the alias FulcrumSec exploited CVE-2025-55182, better known as React2Shell, a critical vulnerability in React Server Components that carries a perfect CVSS score of 10.0. The flaw had been publicly disclosed three months earlier, in December 2025, and had already been exploited by Chinese state backed hacking groups within hours of its announcement.

LexisNexis had not patched it.

From there, FulcrumSec moved laterally through the company's AWS environment, accessing a React container with read permissions to hundreds of Amazon Redshift analytics tables. The attackers ultimately reached 536 Redshift tables, more than 430 VPC database tables, and the AWS Secrets Manager, from which they extracted 53 stored secrets.

What Was Stolen

The stolen data includes approximately 400,000 cloud user profiles containing real names, email addresses, phone numbers, and job functions. Among those profiles, 118 belonged to users with .gov email addresses:

  • Federal judges and law clerks
  • U.S. Department of Justice attorneys
  • SEC staff members
  • Federal court clerks

Beyond user data, FulcrumSec claims to have accessed plaintext login credentials, IT incident tickets, customer surveys with respondent IP addresses, support tickets, and product usage data. In total, the haul amounts to 3.9 million records and 2.04 GB of structured data.

"Lexis1234"

FulcrumSec published a detailed account of the intrusion and openly mocked the company's security posture. The attackers pointed out that the Amazon RDS master password was "Lexis1234," and that it had been reused across five different systems. They also noted that employee password hashes were accessible through the compromised infrastructure.

"The company that indexes the world's legal information could not index its own IAM policies," FulcrumSec wrote.

LexisNexis Downplays the Impact

In a statement, LexisNexis characterized the stolen data as "mostly legacy, deprecated data from prior to 2020" and said the breach involved "a limited number of servers." The company added: "We believe the matter is contained. We have no evidence of compromise of or impact to our products and services."

The company has engaged an external cybersecurity forensic firm, reported the incident to law enforcement, and notified affected current and previous customers.

However, this is not LexisNexis' first breach. Its sister division, LexisNexis Risk Solutions, disclosed a separate incident in 2025 that affected over 360,000 people and exposed Social Security numbers and driver's license information.

Why Government Email Exposure Matters

When federal judges' and DOJ attorneys' email addresses leak alongside their job functions, phone numbers, and account metadata, the risk goes beyond spam. These profiles become high value targets for spear phishing, social engineering, and even physical security threats.

An attacker who knows a federal judge's email address, phone number, and the legal research tools they use can craft a convincing phishing message that appears to come from a trusted platform. Combined with the stolen plaintext credentials, the exposure creates a direct path to account compromise across any service where those credentials were reused.

The Bigger Picture

The LexisNexis breach is a case study in how basic security failures compound. A CVSS 10.0 vulnerability left unpatched for three months. A master password that would fail most consumer website requirements. No apparent segmentation between a compromised React frontend and hundreds of production database tables.

For organizations that store sensitive data, this is the reminder: patch management, credential hygiene, and cloud access controls are not optional. The attackers who breached LexisNexis did not need a sophisticated zero day or insider access. They needed a search engine, a known exploit, and a weak password.