Fintech company icons showing data breach

Data Breach at Fintech Company Figure Technology Solutions Impacts Nearly 1 Million People

Fintech company Figure Technology Solutions was hit by a data breach that affected almost a million people after a threat actor exfiltrated certain files containing personal information.

With over 250 partners, including B2B partners, banks, credit unions, fintechs, and home improvement companies, according to its website, Reno, Nevada-based Figure operates on the Provenance blockchain.

The Figure data breach became public on February 13 after ShinyHunters listed the company on a data leak site and published the stolen information.

Figure data breach affects nearly a million customers

The blockchain company claims the threat actor copied only “a limited number of files” but did not specify which personal details were exposed, the number of victims, or the identity of the threat actor. However, the fintech company is in the process of notifying impacted individuals and partners.

According to data breach tracking website Have I Been Pwned (HIBP), the leaked data contains 967,200 unique email addresses, representing the number of victims. HIBP says the information dates back to January 2026 and included the victims’ names, dates of birth, physical addresses, and phone numbers.

“The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth,” it stated.

While less sensitive than credit card numbers or Social Security Numbers, hackers could still use the leaked information to target victims and lure them into disclosing more confidential information.

Subsequently, victims should be on the lookout for suspicious messages purporting to originate from the fintech company to avoid becoming victims of phishing or fraud.

“Figure’s breach is a reminder that non-financial data is still financial-grade risk,” said Pete Luban, Field CISO at AttackIQ. “With the personal information of nearly 1 million accounts exposed, attackers now have everything they need to fuel convincing identity verification bypasses or highly targeted phishing and vishing campaigns that can hit both customers and Figure’s partner ecosystem.”

“Social engineering attacks like this continue to reinforce the uncomfortable truth that the fastest path to sensitive data is often through people and the access pathways they’re authorized to use,” added Luban.

ShinyHunters claims data breach at fintech company Figure

The infamous hacking group ShinyHunters took responsibility for the Figure data breach and published the stolen data, totaling 2.5 GB, on a leak site used by cybercriminals to coerce victims into paying ransom.

However, it remains unclear whether the threat actor demanded ransom before publishing the stolen information online. Nevertheless, the group accused Figure of “wasting time” and trying to cover up the data breach, a common accusation made against companies that refuse to pay the ransom.

While the fintech company has not released much information about the data breach, it disclosed that the leak stemmed from a social engineering attack in which an employee was tricked into authenticating the threat actor.

ShinyHunters has perfected the art of social engineering, having compromised multiple companies, including Salesforce, to target their customers and business partners, including Google.

The Figure data breach was linked to the social engineering attack on the identity management platform Okta, which also affected CrunchBase, SoundCloud, investment platform Betterment, Harvard University, and the University of Pennsylvania (UPenn).

“This incident fits the recent ShinyHunters playbook of rapid, high-volume victimization through SSO-focused social engineering, where a single compromised identity can become a master key to downstream applications and data stores,” noted Luban. “Mitigation strategies have to match that reality. Prioritizing phishing-resistant MFA and enforcing conditional access and least privilege for SSO sessions are essential measures for proactively defending against future ShinyHunters campaigns.”

In January, Madiant warned that the extortion group had expanded its voice phishing (vishing) attacks to obtain single sign-on (SSO) credentials and multi-factor authentication (MFA) codes from corporate environments.

Additionally, Google also observed the threat group increasing its extortion tactics to include harassing employees of business partners. Its new tactics also include using victim-branded websites to harvest login credentials. ShinyHunters also unleashed a custom phishing toolkit tailored to callers’ specific needs, including providing supporting context to match the victim’s authentication flow.