Data breach at fintech firm Figure affects nearly 1 million accounts

Hackers stole personal data from roughly 1 million customer accounts at Figure Technology Solutions after compromising an employee account in a social‑engineering attack.

What happened

• Figure, a blockchain‑based lending and home‑equity fintech founded in 2018, confirmed a security incident in February 2026.

• The ShinyHunters extortion group claims responsibility and says it exfiltrated about 2.5 GB of data after Figure declined to pay a ransom and the data was later posted online.

• Have I Been Pwned’s analysis shows data tied to about 967,200 accounts, making this one of the larger fintech breaches so far in 2026.

Data exposed

• Exposed records include customer names, dates of birth, physical addresses, phone numbers, and email addresses.

• Available reporting indicates financial account numbers, Social Security numbers, and detailed loan information were not part of the leaked dataset, though Figure has not publicly disclosed a full field‑by‑field breakdown.

Cause and attack vector

• Figure attributed the incident to a social‑engineering attack in which an employee was tricked into providing access, enabling hackers to download a “limited number of files” from internal systems.

• ShinyHunters then listed Figure on its leak site and published the stolen customer data when the company did not pay.

Scale and impact

• Have I Been Pwned and multiple outlets report roughly 900k–970k unique email addresses in the leaked dataset, corresponding to nearly 1 million customer accounts.

• The exposed PII is sufficient to support targeted phishing, SIM‑swap attempts, and synthetic or account‑takeover fraud when combined with other breached data.

Figure’s response and customer remedies

• Figure says it has notified affected customers and partners and is offering free credit/identity monitoring to individuals who receive notice.

• The company has reset credentials on the compromised account, engaged third‑party forensics, and is cooperating with law enforcement.

If you or your institution has used Figure (e.g., for HELOCs or partner‑originated loans), practical steps include monitoring for a notice letter or email from Figure, watching for phishing referencing your loan relationship, and considering credit monitoring or a credit freeze as appropriate.