Hackers Access Personal Data from Figure Technology Solutions: A Quiet but Major Breach
A Quiet Disclosure, A Large Breach
In a startling revelation that slipped under the radar, hackers have exploited vulnerabilities to steal personal and contact information from nearly one million accounts at Figure Technology Solutions, a fintech firm rooted in blockchain technology. Despite facilitating over $22 billion in home equity transactions, Figure found itself the target of a significant cyberattack characterized as a social engineering incident.
The breach was initially downplayed by the company, which described it as a theft of “a limited number of files.” However, the true extent of the breach came to light when data appeared on Have I Been Pwned, a popular data breach notification service. According to reports, data pertaining to 967,200 accounts was compromised and publicly shared online back in February 2026, unraveling the scale of what had occurred.
The data compromised in this incident, which dates back to January 2026, included over 900,000 unique email addresses, as well as names, phone numbers, physical addresses, and dates of birth. While Figure confirmed the breach, details regarding the specific number of affected individuals or the categories of stolen data remained scarce.
The Rise of a Blockchain Lender
Established in 2018, Figure Technology Solutions has positioned itself as a pioneering financial services platform built on the Provenance blockchain. The company’s innovative infrastructure is designed to power various financial transactions, including lending, borrowing, and securities trading. With partnerships spanning over 250 entities—ranging from banks to home improvement firms—Figure has worked hard to carve out its niche in a competitive fintech landscape.
The promise of blockchain is enticing; it holds the potential to streamline financial processes and reduce related costs. Yet, the recent breach starkly illustrates that even firms leveraging decentralized technologies are not immune to human error or conventional hacking methods. Notably, the breach was not predicated on flaws in blockchain architecture but rather stemmed from an internal access credential compromise, a pitfall that has become alarmingly familiar in large-scale corporate breaches.
ShinyHunters and a Pattern of Intrusions
The culpability for the breach has been claimed by an extortion group known as ShinyHunters, who announced their ill-gotten gains on a dark web leak site. According to the group, they had acquired a hefty 2.5 gigabytes of data, allegedly extracted from a multitude of loan applicants.
ShinyHunters has made headlines for similar breaches involving other high-profile companies like Canada Goose, Panera Bread, and even cybersecurity firm CrowdStrike. While not all these breaches appear to be part of a coordinated campaign, cybersecurity experts have identified overlapping tactics that raise alarms about the evolving nature of cyberattacks.
Some incidents have been linked to voice phishing, or “vishing,” campaigns that target single sign-on accounts across many organizations, using tactics that include impersonating IT support staff. Attackers contact employees directly, persuading them to share login credentials and multi-factor authentication codes via fraudulent portals mimicking legitimate corporate systems. Once they gain access to single sign-on accounts, attackers can infiltrate connected enterprise applications, spreading their reach like wildfire.
The Expanding Reach of Social Engineering
ShinyHunters is also alleged to have breached Match Group, the parent company of dating platforms like Tinder and OkCupid. This incident, like others, demonstrates a disturbing trend toward leveraging social engineering techniques to outsmart security measures, moving the battleground from technological exploits to the manipulation of human behavior within organizations.
The methods employed—impersonating trusted internal personnel and exploiting standard authentication workflows—reflect a significant shift in cybercrime tactics. By targeting employees who serve as gateways to broader digital ecosystems, attackers can bypass multi-layered security controls without having to deploy complex malware.
In Figure’s case, the company has yet to divulge how exactly the breach occurred or whether enhanced security protocols have since been established. Furthermore, it remains unclear how many individuals have formally been notified about the breach, adding to the anxiety surrounding the incident.
For customers whose personal data—ranging from contact details to birthdays—has made its way online, this breach is a potent reminder that even organizations perched on the cutting edge of financial technology are still vulnerable to the age-old threat of human trust being exploited.
Amid an ever-evolving landscape of cyber threats, this breach serves as a critical lesson on the vulnerabilities that persist even in the most advanced technological environments.
