By Julie Bays, OBA Management Assistance Program Director

A recent cybersecurity report about a breach involving LexisNexis contained an unusual detail. The attackers did not just claim they accessed company systems. They publicly mocked the company’s passwords.

According to reports, a threat actor calling itself “FulcrumSec” gained access to LexisNexis cloud infrastructure by exploiting a vulnerability in an unpatched web application. The group claims it extracted millions of records tied to roughly 400,000 user profiles, including accounts connected to courts and government agencies. (Cybernews)

What caught the attention of many security professionals was something else. The attackers said they found examples of password reuse across internal systems. One password reportedly used in multiple places was “Lexis1234.” The group even joked about predictable password patterns used in other systems.

LexisNexis has stated that the compromised servers contained mostly older data from before 2020 and that there is no evidence that customer financial information, active passwords, or search queries were affected. (The Record from Recorded Future)

Still, the incident offers a useful reminder for lawyers.

Many lawyers assume that large legal technology vendors have perfect security practices. No system is error-proof. Legal technology platforms, research services, practice management systems, and cloud tools are all part of the modern law practice. Each connection adds convenience, but it also adds another potential entry point for attackers.

That does not mean lawyers should avoid legal technology. It does mean lawyers should take practical steps to protect their own accounts.

Start by using unique passwords for every legal technology platform. Password reuse remains one of the easiest ways for attackers to move from one compromised system into another.

Second, enable multi-factor authentication whenever it is available. Even if a password is exposed in a breach, a second authentication factor can often stop an unauthorized login.

Third, consider using a password manager. These tools generate and store strong passwords, so you do not have to remember them all.

Finally, be cautious about phishing emails that appear after a breach is reported. Stolen contact information often becomes the basis for convincing “password reset” messages or fake alerts that appear to come from trusted services.

Cybersecurity incidents will continue to happen, even at companies that provide services to the legal profession. The best defense for lawyers is maintaining strong security practices on their own accounts.

Sometimes the most interesting lesson from a breach is not what was stolen. It is what the attackers reveal about how the systems were protected in the first place.