Feb 23
/
Latest News
Figure Technology Hit by Massive Data Breach Following Social Engineering Attack
Blockchain-based lender Figure Technology is grappling with a significant security failure after a social engineering attack compromised the personal data of nearly one million customers. The breach, which was first flagged by the notification site Have I Been Pwned, involves the theft of sensitive information including names, email addresses, dates of birth, physical addresses, and phone numbers.
While Figure has characterized the incident as the theft of a "limited number of files" via a deceived employee, the hacking group ShinyHunters has already claimed responsibility, purportedly leaking 2.5 gigabytes of data on its site after ransom demands were likely ignored. This crisis marks a major setback for the firm, which went public only last year and has originated over $22 billion in home equity loans under the leadership of controversial fintech veteran Mike Cagney. As the industry watches the fallout, the company’s extensive network of over 200 partners remains on high alert regarding the integrity of its blockchain-integrated loan origination system.
Occurring just as the lender executes a secondary public stock offering following its recent IPO, the incident highlights critical vulnerabilities in the human element of corporate cybersecurity and poses significant reputational risks for the blockchain lending pioneer. Founded by industry veteran Mike Cagney, who previously built the fintech behemoth SoFi before departing in 2017 amid sexual harassment allegations, Figure Technology Solutions has positioned itself as an innovator in the financial sector. The company leverages its proprietary Provenance Blockchain to automate loan origination, operating as the largest non-bank provider of home equity lines of credit (HELOCs) in the United States. With a promise of rapid approvals and a network of over 200 auxiliary lending partners—including Guaranteed Rate and CrossCountry Mortgage—the firm has successfully originated over $22 billion in home equity. However, despite its cutting-edge blockchain infrastructure designed to ensure security and transparency, the company ultimately fell victim to a decidedly low-tech vulnerability: human error.
The breach occurred when a Figure employee was targeted by a sophisticated voice phishing, or "vishing," campaign. Attackers impersonating IT support staff successfully deceived the employee into surrendering their login credentials and multi-factor authentication (MFA) codes on a fraudulent website designed to mirror the company's internal portal. This critical lapse provided the hackers with unauthorized access to the employee's Single Sign-On (SSO) account via Okta, granting them a pathway into connected enterprise applications. According to forensic analyses, the attackers did not exploit any technical vulnerabilities within Figure's blockchain code, but instead bypassed the company's "human firewall" to download a targeted set of files containing vast amounts of user data dating back to January 2026.
The cybercriminal syndicate ShinyHunters has claimed full responsibility for the intrusion, adding Figure to a growing list of high-profile victims targeted in a broader campaign against Okta single sign-on users. Unlike traditional ransomware gangs that lock systems, ShinyHunters specializes in data exfiltration and double-extortion tactics. When Figure management ostensibly refused to pay the demanded ransom, the hackers retaliated by posting a 2.5-gigabyte archive of the stolen data on their Tor-based leak site, publicly mocking the company's leadership in the process. The breach notification service Have I Been Pwned subsequently confirmed that the leaked database contains exactly 967,200 unique email addresses alongside users' full names, physical home addresses, phone numbers, and dates of birth. While the exposure is vast, Figure has emphasized that core financial records, Social Security numbers, and customer funds were not accessed during the incident.
The fallout from the breach is multifaceted, impacting direct borrowers, crypto investors holding the company's $YLDS stablecoin, and clients of Figure's private-label software partners. The timing is particularly damaging for the Nasdaq-listed firm, as the negative publicity coincides with a critical secondary stock offering following its initial public offering last year. In response to the crisis, Figure states that it quickly blocked the unauthorized activity, engaged a third-party cybersecurity forensic firm, and has begun mailing notification letters to affected individuals. Furthermore, the company is offering complimentary identity theft and credit monitoring services to help mitigate the heightened risk of spear-phishing and identity fraud stemming from the leaked personal identifiers. As legal firms begin investigating potential class-action lawsuits, the Figure Technology breach serves as a stark reminder to the fintech industry that even the most advanced decentralized technologies remain susceptible to the age-old threat of social engineering.
While Figure has characterized the incident as the theft of a "limited number of files" via a deceived employee, the hacking group ShinyHunters has already claimed responsibility, purportedly leaking 2.5 gigabytes of data on its site after ransom demands were likely ignored. This crisis marks a major setback for the firm, which went public only last year and has originated over $22 billion in home equity loans under the leadership of controversial fintech veteran Mike Cagney. As the industry watches the fallout, the company’s extensive network of over 200 partners remains on high alert regarding the integrity of its blockchain-integrated loan origination system.
Occurring just as the lender executes a secondary public stock offering following its recent IPO, the incident highlights critical vulnerabilities in the human element of corporate cybersecurity and poses significant reputational risks for the blockchain lending pioneer. Founded by industry veteran Mike Cagney, who previously built the fintech behemoth SoFi before departing in 2017 amid sexual harassment allegations, Figure Technology Solutions has positioned itself as an innovator in the financial sector. The company leverages its proprietary Provenance Blockchain to automate loan origination, operating as the largest non-bank provider of home equity lines of credit (HELOCs) in the United States. With a promise of rapid approvals and a network of over 200 auxiliary lending partners—including Guaranteed Rate and CrossCountry Mortgage—the firm has successfully originated over $22 billion in home equity. However, despite its cutting-edge blockchain infrastructure designed to ensure security and transparency, the company ultimately fell victim to a decidedly low-tech vulnerability: human error.
The breach occurred when a Figure employee was targeted by a sophisticated voice phishing, or "vishing," campaign. Attackers impersonating IT support staff successfully deceived the employee into surrendering their login credentials and multi-factor authentication (MFA) codes on a fraudulent website designed to mirror the company's internal portal. This critical lapse provided the hackers with unauthorized access to the employee's Single Sign-On (SSO) account via Okta, granting them a pathway into connected enterprise applications. According to forensic analyses, the attackers did not exploit any technical vulnerabilities within Figure's blockchain code, but instead bypassed the company's "human firewall" to download a targeted set of files containing vast amounts of user data dating back to January 2026.
The cybercriminal syndicate ShinyHunters has claimed full responsibility for the intrusion, adding Figure to a growing list of high-profile victims targeted in a broader campaign against Okta single sign-on users. Unlike traditional ransomware gangs that lock systems, ShinyHunters specializes in data exfiltration and double-extortion tactics. When Figure management ostensibly refused to pay the demanded ransom, the hackers retaliated by posting a 2.5-gigabyte archive of the stolen data on their Tor-based leak site, publicly mocking the company's leadership in the process. The breach notification service Have I Been Pwned subsequently confirmed that the leaked database contains exactly 967,200 unique email addresses alongside users' full names, physical home addresses, phone numbers, and dates of birth. While the exposure is vast, Figure has emphasized that core financial records, Social Security numbers, and customer funds were not accessed during the incident.
The fallout from the breach is multifaceted, impacting direct borrowers, crypto investors holding the company's $YLDS stablecoin, and clients of Figure's private-label software partners. The timing is particularly damaging for the Nasdaq-listed firm, as the negative publicity coincides with a critical secondary stock offering following its initial public offering last year. In response to the crisis, Figure states that it quickly blocked the unauthorized activity, engaged a third-party cybersecurity forensic firm, and has begun mailing notification letters to affected individuals. Furthermore, the company is offering complimentary identity theft and credit monitoring services to help mitigate the heightened risk of spear-phishing and identity fraud stemming from the leaked personal identifiers. As legal firms begin investigating potential class-action lawsuits, the Figure Technology breach serves as a stark reminder to the fintech industry that even the most advanced decentralized technologies remain susceptible to the age-old threat of social engineering.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.