Data Breach at Figure Exposes Nearly 1 Million Fintech Accounts
Figure Technology Solutions, a blockchain-based financial technology firm, recently suffered a significant data breach. The attack exposed personal information of nearly 1 million accounts, affecting approximately 967,200 users.
Details of the Data Breach
The incident occurred when hackers executed a social engineering attack, tricking an employee into granting access to sensitive files. Although Figure did not publicly announce the breach, a spokesperson confirmed the theft of a limited number of files.
Extent of the Exposure
According to the notification service Have I Been Pwned, the exposed data included:
- Over 900,000 unique email addresses
- Names
- Phone numbers
- Physical addresses
- Dates of birth
The sensitive information dates back to January 2026. In February 2026, the stolen data was publicly shared online.
Perpetrators Behind the Breach
The hacking group ShinyHunters claimed responsibility for this incident. They released approximately 2.5GB of data, reportedly belonging to thousands of loan applicants. The group has been linked to other breaches at companies like Canada Goose, Panera Bread, and Match Group.
Methods Used by Attackers
This breach highlights the growing threat of social engineering attacks. In many cases, hackers impersonate IT support teams and target employees of large organizations. These attackers attempt to collect credentials and multi-factor authentication codes through phishing attempts.
Impact on Figure Technology Solutions
The breach raises concerns about the security practices of fintech companies. Figure Technology Solutions, which has facilitated over $22 billion in home equity transactions with numerous partners, must enhance its security measures to protect user information.
As the cybersecurity landscape evolves, organizations must remain vigilant and adopt stronger defenses against social engineering and other cyber threats. For now, affected individuals should monitor their accounts closely and be on alert for phishing attempts.
