Safa Marwah
A significant cybersecurity incident has compromised the personal and contact information associated with close to one million customer accounts at Figure Technology Solutions, a prominent player in the blockchain-native financial technology sector. This breach underscores the persistent and evolving threat landscape facing digital financial platforms, even those leveraging advanced distributed ledger technologies.
Figure Technology Solutions, established in 2018, has positioned itself at the forefront of financial innovation by utilizing the Provenance blockchain for a diverse range of financial services, including lending, borrowing, and securities trading. The company boasts an impressive track record, having facilitated over $22 billion in home equity solutions through a vast network of more than 250 partners, encompassing traditional banks, credit unions, emerging fintech enterprises, and home improvement companies. This robust integration into the financial ecosystem highlights the widespread potential ramifications of any security lapse within its operations.
While Figure did not initially issue a public disclosure regarding the security compromise, a spokesperson for the company confirmed to media outlets in February 2026 that attackers had successfully exfiltrated "a limited number of files." The company attributed the incident to a sophisticated social engineering attack, a method that exploits human psychology rather than purely technical vulnerabilities to gain unauthorized access. The lack of immediate public transparency from Figure regarding the specifics of the breach initially left many questions unanswered for the financial community and affected individuals.
The full extent of the data exfiltration only became clear when public data breach notification services began reporting on the incident. Specifically, information surfaced indicating that data from 967,200 accounts had been compromised. Reports detailed that the exposed dataset, with records dating back to January 2026, contained a wealth of sensitive personal identifiable information (PII). This included over 900,000 unique email addresses, along with corresponding names, phone numbers, physical addresses, and dates of birth. The confirmation by Figure that the incident stemmed from an employee being manipulated into granting access further emphasized the human element as a critical vulnerability point in even the most technologically advanced organizations.
The responsibility for this high-profile breach was swiftly claimed by ShinyHunters, a notorious cyber extortion group. The group added Figure Technology Solutions to its dark web leak site, publicly disseminating a substantial volume of data – approximately 2.5 gigabytes – purportedly stolen from thousands of loan applicants. The public availability of such extensive personal data significantly escalates the risk for affected individuals, exposing them to potential identity theft, phishing scams, and other forms of financial fraud. The tactics employed by ShinyHunters in this incident align with their established pattern of exploiting organizational weaknesses to extract and monetize sensitive information.
This incident at Figure is not an isolated event but rather appears to be part of a broader, more aggressive campaign waged by ShinyHunters against a variety of high-profile organizations. In recent weeks leading up to the Figure breach, the group claimed responsibility for similar compromises impacting diverse sectors, including luxury retail (Canada Goose), quick-service restaurants (Panera Bread), wealth management (Betterment), digital audio distribution (SoundCloud), adult entertainment (PornHub), and even cybersecurity firms (CrowdStrike). While the precise technical vectors may vary across all these incidents, a significant number of these breaches, including Figure’s, have been linked to a sophisticated voice phishing (vishing) campaign.
This vishing campaign specifically targets single sign-on (SSO) accounts across widely used enterprise platforms such as Okta, Microsoft, and Google. The attackers employ an elaborate ruse, impersonating legitimate IT support personnel to contact employees of target organizations. Through social engineering, they manipulate these unsuspecting individuals into divulging their login credentials and multi-factor authentication (MFA) codes on deceptive phishing websites designed to mimic authentic corporate login portals. Once successful, this illicit access to an employee’s SSO account serves as a critical gateway, granting the attackers unauthorized entry to a myriad of connected enterprise applications and services. These can include vital business platforms like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Zendesk, Dropbox, Adobe, and Atlassian, among many others, thereby providing a rich harvest of internal data and operational control.
A particularly notable victim of this widespread campaign was Match Group, a dominant entity in the online dating industry. The breach at Match Group reportedly exposed data from several of its popular dating services, including Tinder, Hinge, Meetic, Match.com, and OkCupid, illustrating the broad scope and significant impact of ShinyHunters’ operations across diverse consumer-facing platforms. The common thread of social engineering and SSO compromise in many of these attacks highlights a pervasive vulnerability that transcends industry sectors.
The implications for the nearly one million individuals whose data has been exposed are substantial and long-lasting. The compromised information – names, email addresses, phone numbers, physical addresses, and dates of birth – forms a comprehensive profile that can be exploited for various malicious purposes. Victims face an elevated risk of targeted phishing attacks, where criminals use the stolen data to craft highly convincing emails or messages designed to elicit further sensitive information or install malware. More severely, this PII can be leveraged for identity theft, potentially leading to unauthorized financial transactions, fraudulent credit applications, or even medical identity theft. Individuals are advised to remain vigilant, monitor their financial accounts and credit reports closely, and consider implementing credit freezes to mitigate potential harm.
For Figure Technology Solutions, the incident carries significant repercussions. Reputational damage is a primary concern; as a company built on trust and innovation in a blockchain-native environment, a major data breach can erode confidence among its partners, investors, and end-users. This could potentially impact future business development and customer acquisition. Furthermore, Figure is likely to face intense regulatory scrutiny. Depending on the jurisdictions of its operations and affected individuals, the company could be subject to investigations by data protection authorities, potentially leading to substantial fines under regulations like GDPR or CCPA, as well as mandatory notification requirements. The breach also necessitates a thorough internal review of Figure’s cybersecurity posture, particularly its defenses against social engineering and the efficacy of its employee training programs.
It is crucial to differentiate that the breach did not compromise the underlying Provenance blockchain itself. The security of blockchain technology, with its decentralized and cryptographic architecture, generally remains robust against direct tampering. Instead, the incident targeted Figure’s centralized internal systems and human vulnerabilities, underscoring that even companies leveraging advanced blockchain solutions must maintain equally stringent security protocols for their off-chain operations and human capital. This distinction is vital for maintaining public trust in the integrity of blockchain technology while simultaneously highlighting the enduring challenge of securing the interfaces between blockchain and traditional IT infrastructure.
Expert analysis consistently points to social engineering as one of the most persistent and challenging threats in cybersecurity. Despite continuous advancements in defensive technologies, the human element often remains the weakest link. Attackers exploit psychological principles, such as trust, urgency, and authority, to circumvent even sophisticated technical controls. This necessitates a multi-faceted defense strategy that goes beyond perimeter security. Robust security awareness training for all employees, conducted regularly and updated to reflect current threat landscapes, is paramount. Such training must empower staff to identify and report suspicious communications, understand the risks associated with divulging sensitive information, and recognize the tactics employed in vishing and phishing attacks.
Beyond human-centric defenses, organizations like Figure must also harden their technical controls. The widespread targeting of SSO accounts highlights the critical importance of implementing strong, adaptive multi-factor authentication across all enterprise applications. Adaptive MFA systems analyze contextual factors such as device, location, and behavior to assess risk, requiring additional verification steps when anomalies are detected. Furthermore, organizations must implement stringent access controls, principle of least privilege, and continuous monitoring of network activity for anomalous behavior that could indicate compromise. A well-defined and frequently tested incident response plan is also indispensable, enabling rapid detection, containment, eradication, and recovery to minimize the impact of a breach.
Looking ahead, the landscape of cyber threats is only becoming more sophisticated and pervasive. The targeting of single sign-on systems and the success of social engineering tactics underscore a shift in adversary focus from purely technical exploits to hybrid attacks that blend technical prowess with human manipulation. For fintech companies, which handle vast amounts of sensitive financial and personal data, the imperative to invest proactively in comprehensive cybersecurity defenses cannot be overstated. This includes not only advanced technological solutions but also a deep commitment to fostering a strong security culture throughout the organization.
Recommendations for organizations in the wake of such incidents include conducting thorough penetration testing, implementing red teaming exercises to simulate real-world attacks, and continuously updating threat intelligence to stay ahead of evolving adversary tactics. For individuals, the advice remains consistent: practice strong password hygiene, enable MFA wherever possible, be skeptical of unsolicited communications, and regularly review financial statements and credit reports for any suspicious activity. The Figure breach serves as a stark reminder that in the interconnected digital economy, the weakest link can expose even the most innovative and technologically advanced entities to significant risk. The ongoing battle against cyber adversaries demands constant vigilance, adaptation, and a holistic approach to security that encompasses technology, process, and people.
Lisa Mariana
Aura Kasih
