Hackers accessed personal data from hundreds of thousands of users of Figure Technology Solutions, a fintech firm built on blockchain infrastructure, in an attack the company attributed to social engineering.
A Quiet Disclosure, A Large Breach
Hackers have stolen the personal and contact information of nearly one million accounts after breaching the systems of Figure Technology Solutions, a self-described blockchain-native financial technology company that has facilitated more than $22 billion in home equity transactions.
Although Figure did not publicly announce the incident, a company spokesperson told TechCrunch on Friday that attackers stole “a limited number of files” in what it described as a social engineering attack. The disclosure was not accompanied by a detailed breakdown of the number of individuals affected or the categories of data involved.
It was only after the breach appeared on the data breach notification service Have I Been Pwned that the scope became clearer. The service reported that data from 967,200 accounts had been exposed. In a statement posted Wednesday, Have I Been Pwned said that data obtained from Figure was publicly posted online in February 2026.
The exposed records, dating back to January 2026, contained more than 900,000 unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
The Rise of a Blockchain Lender
Founded in 2018, Figure positions itself as a financial services platform built on the Provenance blockchain, a distributed ledger it uses to power lending, borrowing and securities trading. The company says it has unlocked more than $22 billion in home equity and works with more than 250 partners, including banks, credit unions, fintech companies and home improvement firms.
Its pitch rests on the promise that blockchain infrastructure can streamline financial transactions and reduce costs. Yet the breach underscores the reality that even companies built on decentralized technologies remain vulnerable to human error and traditional cyberattack methods.
In this case, the intrusion was not attributed to a flaw in blockchain architecture but to the compromise of internal access credentials through deception — a method that has become increasingly common in large-scale corporate breaches.
ShinyHunters and a Pattern of Intrusions
Responsibility for the breach was claimed by the extortion group known as ShinyHunters, which added Figure to its dark web leak site. The group said it had stolen 2.5 gigabytes of data, allegedly taken from thousands of loan applicants.
In recent weeks, ShinyHunters has claimed similar breaches at Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub and CrowdStrike. While not all of the incidents are believed to be part of a single coordinated campaign, cybersecurity researchers have identified overlapping tactics in several cases.
Some victims were breached in what investigators described as a voice phishing, or “vishing,” campaign targeting single sign-on accounts at Okta, Microsoft and Google across more than 100 high-profile organizations. In these schemes, attackers impersonate IT support personnel and call employees directly, persuading them to enter credentials and multi-factor authentication codes into fraudulent login portals designed to mimic corporate systems.
Once access to a victim’s single sign-on account is obtained, attackers can move laterally across connected enterprise applications, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Zendesk, Dropbox, Adobe and Atlassian, among others.
The Expanding Reach of Social Engineering
As part of the broader campaign, ShinyHunters also claimed to have breached online dating company Match Group, which owns platforms including Tinder, Hinge, Meetic, Match.com and OkCupid.
The method — impersonating trusted internal personnel and exploiting authentication workflows — reflects a shift in cybercrime tactics away from technical exploits and toward manipulation of individuals within organizations. By targeting employees who serve as gateways to broader digital ecosystems, attackers can bypass layered security controls without deploying sophisticated malware.
In the case of Figure, the company has not detailed how access was granted or whether additional safeguards have since been implemented. Nor has it publicly clarified how many individuals have been formally notified.
For customers whose personal data — including names, contact details and dates of birth — has surfaced online, the breach represents another reminder that even firms built on emerging financial technologies remain exposed to a more traditional vulnerability: trust placed in human intermediaries.
