FulcrumSec Loots Plaintext Cloud Secrets and Over-Privileged IAM Roles in LexisNexis and Arup Extortion Breaches

Who FulcrumSec Is

FulcrumSec is a financially motivated data-theft extortion group active since September 2025. The group specializes in rapid exfiltration of cloud-hosted data, and its operators show a consistent preference for one class of weakness: exposed and unrotated credentials sitting in code or cloud infrastructure, paired with over-privileged access that turns a single foothold into full-environment compromise. Rather than encrypting systems, FulcrumSec steals data at scale and pressures victims with detailed public breakdowns of exactly how the intrusion happened - a tactic built to maximize reputational damage and force payment.

Two confirmed engagements show the pattern clearly: the February 2026 breach of LexisNexis Legal & Professional, and the May 2026 breach of UK engineering consultancy Arup Group.

LexisNexis: Exploited Frontend to Plaintext Secrets (February 2026)

LexisNexis Legal & Professional confirmed that attackers accessed a limited number of its servers after FulcrumSec leaked roughly 2GB of files on underground forums. The group says it gained access on February 24 by exploiting the React2Shell vulnerability in an unpatched React frontend application, giving it a foothold in the company's AWS environment.

From there, FulcrumSec claims it exfiltrated 2.04GB of structured data through a vulnerable React container with access to 536 Redshift tables, more than 430 VPC database tables, 3.9 million database records, 21,042 customer accounts, and 45 employee password hashes, plus complete VPC infrastructure mapping. Critically, the container could read 53 AWS Secrets Manager secrets in plaintext. The group publicly criticized LexisNexis for allowing a single ECS task role read access to every secret in the account, including the production Redshift master credential.

FulcrumSec also claims access to around 400,000 cloud user profiles with names, emails, phone numbers, and job functions, including 118 users with .gov addresses tied to government employees, federal judges and law clerks, Department of Justice attorneys, and SEC staff. LexisNexis stated the exposed data was mostly legacy and pre-2020, and did not include Social Security numbers, financial data, active passwords, or customer search queries. The company contacted law enforcement and engaged external responders; FulcrumSec says LexisNexis declined to negotiate. This was the company's second disclosed breach in roughly a year, following a 2024 incident affecting 364,000 people.

Arup Group: Leaked Token to 10,000 Repositories (May 2026)

In the Arup case, FulcrumSec claims initial access in September 2025 through a GitHub personal access token hardcoded in a JavaScript file on a forgotten Arup subdomain. That single token reportedly unlocked more than 10,000 private GitHub repositories. Scanning those repositories surfaced further hardcoded tokens, API keys, and passwords for AWS, Azure, and databases, and the group says it pivoted into AWS using keys belonging to Arup subsidiary Neuron.

The claimed haul is large: roughly 700GB of private GitHub repositories (9,880+ repos) and nearly 2TB of Azure Blob Storage, AWS S3, and database backups. FulcrumSec also lists Apple code-signing certificates with plaintext passwords, a Google Cloud project containing production payment-gateway credentials, complete ArupCompute and Oasys source code, Neuron BMS client databases, and Odoo ERP data. According to the group, Arup detected the GitHub and Azure intrusions roughly six weeks after they occurred and rotated credentials, but the data had already been exfiltrated. The post also names downstream client exposure and, notably for the UK, references data tied to dozens of HS2-related repositories.

The Common Thread: Adaptable Entry, Identical Cloud Looting

The two intrusions begin differently and end the same way. At LexisNexis the entry point was an exploited vulnerability in an internet-facing app; at Arup it was a leaked credential on a forgotten asset. After that initial foothold the playbook is identical: locate secrets stored in plaintext, abuse over-privileged roles and additional hardcoded keys to expand across the cloud estate, exfiltrate at scale, then publish a detailed breakdown to apply pressure. FulcrumSec invests months analyzing stolen data and negotiating before going public - in October 2025, VX-Underground documented the group emailing breach specifics with the explicit aim of getting them published to pressure a victim.

The group also frames its demands as economically rational for the target. In the Arup case, FulcrumSec claimed the ransom was less than 1% of the company's annual revenue and less than the more than £20 million Arup reportedly lost to a 2024 deepfake video-call fraud - a public incident that may have contributed to the group selecting Arup as a target. For defenders, the lesson is that the initial-access vector is the variable; the credential-hygiene and cloud-permission failures that follow are what actually enable the breach.

Hardening Against the FulcrumSec Playbook

• Hunt for hardcoded secrets. Enable secret scanning (GitHub Secret Scanning, pre-commit hooks) across all repositories, including archived and forgotten ones, and rotate any exposed token immediately rather than weeks later.
• Scope cloud IAM to least privilege. No single role, task, or container should be able to read every secret in an account. Isolate production master credentials from application roles.
• Stop storing secrets in plaintext. Gate access to Secrets Manager and equivalent stores, and never commit code-signing certificates, keys, or their passwords to source control.
• Inventory and retire shadow IT. The Arup entry point was a forgotten subdomain. Catalog internet-facing assets and decommission unused ones before they become an unmonitored door.
• Patch internet-facing apps quickly. The LexisNexis entry was an unpatched React frontend; exposed web apps need a fast patch cycle.
• Detect mass access. Bulk repository cloning and large-scale cloud-storage reads are visible in GitHub audit logs and cloud access logs - alert on them and keep a response plan ready.
• Plant canary tokens. Because FulcrumSec spends months analyzing exfiltrated data before contact, canary tokens in sensitive documents and repositories can surface a breach far earlier.
• Map third-party exposure. Arup's breach carried downstream client impact. Know what data your vendors hold so you can scope your own response when they are hit.

The Bigger Picture

FulcrumSec is worth tracking because it is not a smash-and-grab operation. It selects large, well-resourced organizations, invests months in reconnaissance and analysis, and builds public extortion narratives engineered for maximum pressure. But across two very different victims, the actual breach was enabled by the most basic failures: secrets left in plaintext, credentials left unrotated, and cloud roles granted far more access than they needed. The group's sophistication is in target selection and pressure, not in novel exploitation - which means the defenses are well understood and entirely within reach. Treat credential hygiene and least-privilege cloud access as core controls rather than afterthoughts, and you remove the exact conditions FulcrumSec depends on.