Figure Technology Faces Major Data Breach Impacting Nearly One Million Customers

Figure Technology Solutions (Nasdaq: FIGR) has suffered a significant data breach that exposed the personal details of approximately 967,000 customer accounts. The incident, which came to light in mid-February 2026, stemmed from a targeted social engineering attack rather than a technical vulnerability, highlighting ongoing challenges in protecting sensitive user information even at advanced financial institutions.

Figure Technology Solutions, a San Francisco-headquartered company known as the largest nonbank provider of home equity lines of credit in the United States, leverages blockchain technology to streamline lending processes.

The firm went public through an initial public offering in September 2025 and has reported steady growth, with third-quarter 2025 net income more than tripling year-over-year to $90 million.

Despite its emphasis on innovative, secure financial solutions, the company fell victim to tactics employed by the notorious hacking collective ShinyHunters.

According to statements from Figure’s representatives, the breach began when hackers used deceptive methods—likely voice phishing or vishing—to manipulate a single employee.

This allowed unauthorized access to internal systems, where attackers downloaded a limited set of files before the company detected and blocked the activity.

Figure quickly engaged a third-party forensic firm to assess the scope and has been notifying affected individuals while offering complimentary credit monitoring services.

The full extent of the compromise became public when ShinyHunters uploaded roughly 2.5 gigabytes of archived data to a dark web leak site after Figure declined to meet their ransom demands.

Analysis by the data breach notification platform Have I Been Pwned, which added the incident to its database on February 18, 2026, confirmed the exposure of records dating back to January 2026.

The compromised information includes customers’ full names, dates of birth, physical addresses, phone numbers, and email addresses—totaling about 967,200 unique email records.

Importantly, Figure has emphasized that no financial account details, Social Security numbers, loan information, or customer funds were accessed.

This attack appears to be part of a broader campaign by ShinyHunters targeting organizations relying on Okta’s single sign-on services.

Similar incidents have affected entities such as Harvard University, the University of Pennsylvania, and fintech peer Betterment.

The group has increasingly favored social engineering over sophisticated exploits, impersonating IT support to harvest credentials and infiltrate cloud-based applications.

The timing adds pressure for Figure, which is currently executing a secondary stock offering following its recent IPO.

While the company maintains that customer accounts remain secure and has implemented additional employee training and safeguards, the leak raises alarms about potential downstream risks.

Exposed personal identifiers can fuel identity theft, spear-phishing campaigns, and account takeovers, particularly when combined with data from other breaches.

Industry professionals note that social engineering attacks like this exploit human factors rather than code weaknesses, underscoring the need for continuous vigilance in fast-evolving fintech environments.

For affected customers, immediate steps include monitoring credit reports, enabling multi-factor authentication everywhere possible, and remaining cautious of unsolicited communications claiming to be from Figure or related services.

Figure has stressed its commitment to transparency and customer protection, stating it is communicating directly with impacted parties and partners.

As the investigation continues, the incident serves as a reminder that blockchain-powered platforms must prioritize proper defenses against evolving human-targeted threats. In an industry handling vast amounts of sensitive financial data, such breaches could erode trust if not addressed decisively.