Figure breach exposes 1M customer accounts

Nearly 1 million customer accounts tied to leading fintech lender Figure Technology Solutions were exposed in a breach linked to the ShinyHunters hacker gang, newly published breach database records reveal.

Nearly 1 million customer accounts tied to Figure are now confirmed exposed in a public breach database.
The breach listing details names, contact information, and birth dates – data that could fuel fraud and targeted scams.
The attack appears tied to a wider Okta vishing campaign, highlighting how ShinyHunters is targeting SSO credentials across financial firms.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The San Francisco-based blockchain home-lending firm confirmed the data breach on Friday, after TechCrunch first reported the incident.

Approximately 2.5GB of sensitive data was allegedly posted on the ShinyHunters' dark victim blog after the group claimed Figure refused to pay an undisclosed ransom demand.

ShinyHunters- Figure breach — Figure Technology Solutions appears on the Shiny Hunter dark leak site. Image by Cybernews.

On Wednesday, details about the breach were officially added to the website “Have I Been Pwned,” showing 967,200 customer accounts were affected in the January 2026 breach – putting victims at risk of identity theft, loan fraud, and targeted phishing attacks.

“In February 2026, data obtained from the fintech lending platform Figure was publicly posted online,” the Troy Hunt website noted in the entry.

On February 14th, a Figure spokesperson told TechCrunch that the breach was the result of “an employee who was tricked by a social engineering attack” – a signature entry point for the notorious extortion gang.

The spokesperson had also stated that only “a limited number of files” had been extracted from Figure networks.

Have I Been Pwned Figure breach — "Have I Been Pwned" adds Figure Technology Solutions to its database of breaches. Image by Cybernews.

Pete Luban, Field CISO at AttackIQ, however, notes that “non-financial data is still financial-grade risk.”

“Attackers now have everything they need to fuel convincing identity verification bypasses or highly targeted phishing/vishing campaigns, leaving both customers and Figure’s partner ecosystem at risk,” Luban explains.

What data was exposed

According to Have I Been Pwned, the exposed customer data dates back to January 2026 and contains over 900k unique records, including:

Email addresses
Names
Phone numbers
Physical addresses
Dates of birth

In an unverified claim on the BreachForums hacker marketplace from February 14th, user "thelastwhitehat" alleges the stolen data also includes “HubSpot CRM dumps, KYC information, applicant information, employee data, stakeholder data, and much more.”

Figure breach detail posts — BreachForums member "thelastwhitehat" provides more details about the leaked data, but Cybernews has not verified those claims. Image by Cybernews.

The Figure spokesperson noted that the company was in communications “with partners and those impacted,” and is offering free credit monitoring “to all individuals who receive a notice,” TechCrunch reported.

"It appears that only basic contact information like email addresses, names, phone numbers, physical addresses, and dates of birth were harvested in the breach,” says Chris Hauk, Consumer Privacy Champion at Pixel Privacy.

Hauk tells Cybernews affected individuals should remain alert for “phishing emails, texts, and phone calls” – known tactics bad actors use “attempting to gain additional information.”

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Internal messages reveal Okta phishing attempts

Apparently, a member of ShinyHunters told TechCrunch that the Figure breach was linked to a recent Okta vishing campaign targeting single sign-on (SSO) credentials.

Okta, an identity and access management (IAM) platform, published details about the Shiny Hunters activity back on January 22nd, warning that attackers were also targeting SSO credentials tied to Microsoft and Google environments.

In an apparent jab at Figure, Shiny Hunters also posted purported copies of several internal messages sent by management, acknowledging attempts to trick employees into handing over sign-on credentials.

ShinyHunters Figure breach internal company messages — Shiny Hunters posted several internal company messages on its dark leak site, allegedly stolen from Figure networks warning employees of the social engineering attempts. Image by Cybernews.

“We have received a few reports of employees being contacted on their personal phones and or work phones by people claiming to be IT and needing to set up Okta, a Passkey or some other security software,”one higher up wrote.

“These individuals will attempt to earn your trust by using names of actual employees. This is a phishing attempt and generally comes from contact information being pulled from Linkedin or similar social networks,” the message continued.

The warning added, “IT will NEVER call you on your personal cell phone or work phone out of the blue. Our communications will always come through Slack, company Gmail, or in response to a Zendesk ticket.”

ShinyHunters’ expanding fintech targets

ShinyHunters is a well-known cybercrime and extortion gang, previously linked to multiple high-profile breaches and large-scale data theft campaigns, including last year’s heist of Salesforce CRM data that targeted enterprise cloud services and customer databases.

Apparently, a member of ShinyHunters told TechCrunch that the Figure breach was linked to a recent Okta vishing campaign targeting single sign-on (SSO) credentials.

Okta, an identity and access management (IAM) platform, published details about the ShinyHunters attack back on January 22nd, warning that attackers were also targeting SSO credentials tied to Microsoft and Google environments.

okta-secure-okta — Okta is an identity and access management company. Image by Shutterstock.

Luban points out that the Figure attack “fits ShinyHunter’s playbook of rapid, high-volume victimization through SSO-focused social engineering, where a single compromised identity can become a master key to downstream applications and data stores.”

“Social engineering attacks like this continue to reinforce the uncomfortable truth that the fastest path to sensitive data is often through people and the access pathways they’re authorized to use,” he says, adding that "mitigation strategies have to match that reality."

In recent weeks, the extortion gang has targeted several financial firms, including two high-profile investment advisory firms – Mercer Advisors and Beacon Pointe Advisors – allegedly obtaining millions of sensitive client records.

Ironically, ShinyHunters has threatened to dump both firms' stolen data on Wednesday, yet its dark leak site still displays warning labels on both entries.

ShinyHunters Mercer amd Beacon Point warnings — High-profile investment advisory firms Mercer Advisors and Beacon Pointe Advisors are slapped with warnings on the Shiny Hunter leak site. Image by Cybernews.

Numerous well-known companies have been targeted by ShinyHunters since the beginning of 2026 using skilled social engineering tactics. Many of them are listed on the group's leak site alongside Figure, including Canada Goose, Ivy League colleges Harvard and UPenn, the dating conglomerate Match Group, and the Bumble app.

Luban says organizations must “prioritize phishing-resistant MFA and enforce conditional access and least privilege for SSO sessions to proactively defend against future ShinyHunters campaigns.”

Furthermore, he says “validation of security defenses through emulation of common ShinyHunters attack tactics and techniques” can help companies determine whether security measures are “prepared to block the paths of threat actors, rather than just report intrusions.”

Hauk additionally recommends organizations "educate their employees and executives on how to recognize social engineering attacks like the one used by ShinyHunters to breach Figure.”

Unlock more exclusive Cybernews content on YouTube.