Figure Technology Hit by Data Breach After Social Engineering Attack Blockchain-based lending firm Figure Technology confirmed a data breach stemming from a social engineering attack that tricked an employee into exposing sensitive files. The incident, disclosed on Friday, was attributed to the hacking group ShinyHunters, which later published 2.5 GB of stolen data on its dark web leak site after Figure refused to pay a ransom. The compromised data, reviewed in part by TechCrunch, included customers’ full names, home addresses, dates of birth, and phone numbers. Figure stated it is notifying affected individuals and partners while offering free credit monitoring to those impacted. The company did not respond to further inquiries about the breach’s scope or timeline. ShinyHunters claimed Figure was one of multiple victims in a campaign targeting organizations using Okta’s single sign-on (SSO) service, alongside Harvard University and the University of Pennsylvania (UPenn). The group’s involvement underscores a broader trend of cybercriminals exploiting third-party authentication vulnerabilities to access sensitive systems.

Figure Lending Corp. Data Breach Exposes Sensitive Customer Information On January 28, 2026, Figure Lending Corp. a fintech company specializing in blockchain-based home equity loans, refinancing, and crypto-backed lending detected unauthorized access to its databases. The breach involved queries targeting loan and inquiry records, resulting in the potential exposure of sensitive personal data. Affected information includes names, Social Security numbers, addresses, phone numbers, email addresses, dates of birth, loan account numbers, and loan details. The company confirmed the incident following an internal investigation. Edelson Lechtzin LLP, a national class action law firm, has launched an inquiry into potential legal claims on behalf of impacted individuals. The firm is evaluating options for those who received breach notifications, though no lawsuit has been filed at this time. Figure Lending Corp., headquartered in Charlotte, N.C., has not disclosed the number of individuals affected or the method of unauthorized access. The breach highlights ongoing risks in fintech data security, particularly for companies handling high-value financial and personal information.

Figure Technology Confirms Data Breach After Social Engineering Attack Figure Technology, a blockchain-based lending firm, has acknowledged a data breach following a social engineering attack that tricked an employee into granting hackers access. The company stated that a "limited number of files" were stolen, though it has not specified which types of sensitive data such as names, addresses, Social Security numbers, or financial details may have been exposed. Affected individuals and partners are being notified, with free credit monitoring offered to those impacted. The cybercrime group ShinyHunters claimed responsibility for the attack, releasing approximately 2.5GB of stolen data on the dark web after Figure refused to pay a ransom. A review of the leak by TechCrunch confirmed the exposure of customer names, home addresses, dates of birth, and phone numbers. ShinyHunters reportedly targeted companies using Okta, an identity management service, with other victims including Harvard University and the University of Pennsylvania. The group employs a "double extortion" tactic, stealing data before demanding payment and threatening public release if demands are not met. Security researchers note that such attacks often exploit weak passwords, third-party vulnerabilities, or unsecured storage systems. The breach adds to growing concerns over crypto fraud and identity theft, as financial institutions remain prime targets due to the sensitive data they hold. A Chainalysis report revealed that criminals stole over $17 billion in crypto last year, with scammers increasingly using AI to craft convincing impersonation schemes. Meanwhile, Privacy Rights Clearinghouse reported over 8,000 breach notifications in 2025, linked to more than 4,000 hacking incidents and exposing the personal information of at least 374 million people. Despite the breach, Figure’s stock rose 3.57% on Friday, closing at $35.29, though shares remain down 37% over the past month. The company recently announced plans to sell up to 4.23 million additional shares and may repurchase up to $30 million of another stock class.