Figure Technology's Data Breach: ShinyHunters Exposes Customer Data in a Sophisticated Social Engineering Attack on Blockchain Fintech Leader

In a significant cybersecurity incident shaking the fintech sector, Figure Technology Solutions, a leading blockchain-powered lending company, has publicly confirmed a data breach that exposed sensitive customer personal information. The breach, which occurred through a targeted social engineering attack on an employee, has drawn attention to the persistent risks associated with human factors in even the most advanced technological environments.

About Figure Technology Solutions

Figure Technology Solutions, Inc. (ticker: FIGR), is a prominent player in the financial technology landscape. Founded in 2018 by Mike Cagney, the former CEO of SoFi, the company is headquartered in Reno, Nevada. Figure has gained recognition for disrupting traditional lending by leveraging blockchain technology to offer faster, more efficient loan products.

The company's flagship offerings include home equity lines of credit (HELOCs), cash-out refinances, debt service coverage ratio (DSCR) loans for investors, and crypto-backed financing solutions. Central to its operations is the Provenance Blockchain, a custom Layer 1 network that enables rapid loan origination, tokenization, securitization, and secondary market trading. This infrastructure has allowed Figure to reduce HELOC funding times to as little as five to ten days, far surpassing conventional industry standards.

Figure also operates Figure Connect, a marketplace that connects originators with institutional buyers, enhancing liquidity in loan markets. The company has unlocked billions in home equity for homeowners and maintains partnerships with hundreds of banks, credit unions, and other financial institutions. In recent performance updates, Figure reported substantial growth, with consumer loan marketplace volume increasing 131 percent year-over-year to $2.7 billion in the fourth quarter of 2025, demonstrating strong momentum even as it navigates public market challenges following its listing.

Details of the Breach

The incident was disclosed on February 13, 2026. According to statements from Figure spokesperson Alethea Jadick, the breach stemmed from a social engineering attack in which an employee was deceived, granting unauthorized access to their corporate account. Hackers then downloaded a limited number of files containing customer data.

Figure emphasized that the compromise did not involve direct access to financial accounts, funds, or core blockchain systems. The company promptly contained the incident by isolating the affected account, engaged an independent third-party forensic firm to conduct a thorough investigation, and began notifying potentially impacted individuals. As part of its response, Figure is offering free credit monitoring services to all notified customers to help protect against potential identity theft or related fraud.

ShinyHunters Claims Responsibility and Publishes Data

The notorious hacking collective ShinyHunters quickly claimed responsibility for the attack via its dark web leak site. The group stated that Figure had refused to comply with their ransom demands, prompting them to publicly release approximately 2.5 gigabytes of allegedly stolen data.

Independent verification by media outlets, including TechCrunch, confirmed portions of the leaked files. The exposed information includes customers' full names, home addresses, dates of birth, and phone numbers. While Figure described the volume of data as limited, the release nonetheless constitutes a meaningful exposure of personally identifiable information (PII) for an undetermined number of individuals.

ShinyHunters positioned this breach as one element in a broader campaign targeting organizations that utilize Okta, a widely adopted single sign-on provider. The group has previously compromised other high-profile Okta customers, including institutions like Harvard University and the University of Pennsylvania, using similar tactics focused on voice-based phishing (vishing) and credential theft to bypass conventional email defenses.

Risks Posed by the Exposed Data

The leaked personal details, though not including financial credentials or account numbers, present substantial risks when falling into malicious hands. Cybercriminals could exploit this information for:

• Highly targeted phishing or spear-phishing campaigns that appear legitimate due to accurate personal details.
• Identity theft attempts, such as opening fraudulent accounts, applying for credit, or filing false tax returns.
• Further social engineering operations to extract additional sensitive information from victims.
• Combination with other publicly available or previously leaked data to build comprehensive profiles for more sophisticated attacks.

Affected customers are strongly encouraged to monitor credit reports regularly, activate fraud alerts with major credit bureaus, enable multifactor authentication on all accounts, and remain cautious of unsolicited contacts requesting additional personal or financial details.

Figure's Response and Security Enhancements

Figure has prioritized transparency and remediation in its handling of the incident. Beyond the immediate containment and forensic investigation, the company is reviewing and strengthening internal security controls, including improved employee awareness training on social engineering threats, enhanced access management protocols, and additional safeguards around privileged accounts.

In official communications, Figure reiterated its collaboration with partners and affected parties while affirming that core lending operations and blockchain infrastructure remained unaffected. The company's proactive steps, including the provision of credit monitoring, align with industry best practices for breach response and aim to minimize long-term harm to customers.

Implications for Fintech and Blockchain Ecosystems

This breach underscores a critical vulnerability in modern fintech: reliance on human elements and third-party identity platforms like Okta can create entry points that technical defenses alone cannot fully eliminate. Social engineering attacks continue to rise in sophistication, often succeeding where perimeter security fails.

For blockchain-native companies like Figure, the incident highlights that distributed ledger advantages in transaction integrity and transparency do not inherently protect against upstream access compromises. As fintech integrates deeper with mainstream finance, regulators and customers alike will demand higher standards for identity verification, access governance, and incident preparedness.

The event may accelerate industry shifts toward phishing-resistant authentication methods (such as passkeys or hardware tokens), zero-trust principles, behavioral monitoring, and more rigorous vendor risk assessments for SSO providers.

Key Takeaways and Recommendations

Organizations should:

• Invest heavily in ongoing employee training and simulated social engineering exercises.
• Adopt layered, phishing-resistant authentication across all systems.
• Regularly audit third-party dependencies, especially identity and access management services.
• Maintain tested, up-to-date incident response plans with clear communication protocols.

Individuals should:

• Use strong, unique passwords managed by a reputable password manager.
• Enable multifactor authentication everywhere possible, preferring app-based or hardware methods over SMS.
• Monitor financial accounts and credit reports vigilantly, especially after breach notifications.
• Exercise skepticism toward unexpected requests for information, even if they reference accurate personal details.

Conclusion

The Figure Technology data breach serves as yet another reminder that cybersecurity threats evolve rapidly, often exploiting the weakest link: people. While the company has responded decisively and its innovative blockchain lending model remains intact, the incident reinforces the need for continuous vigilance across the fintech ecosystem. As Figure works to rebuild and fortify trust, the broader industry must learn from this event to better protect the sensitive data that underpins digital finance in an increasingly connected world.