Figure Technology breach exposes 967,200 customer records online

Figure Technology Solutions acknowledged that attackers used social‑engineering tactics to obtain employee access and that files for 967,200 customers were later posted online by the cybercrime group ShinyHunters. The group published roughly 2.5GB of data on its victim blog in mid‑February, and the incident was added to the Have I Been Pwned database, which lists 967,200 unique accounts tied to the set.

The leaked records include names, email addresses, phone numbers, physical addresses and dates of birth, and the dataset dates back to January 2026. Security analysts warn that that combination of personal information could fuel fraud and targeted scams, putting customers at heightened risk of identity theft, loan fraud and tailored phishing campaigns.

The breach was not the result of a software flaw. Security analysis describes a classic vishing operation in which attackers impersonated IT support, convinced an employee to enter credentials and one‑time multi‑factor authentication codes on a counterfeit login page, and used the compromised single sign‑on account to access connected enterprise applications and files. Investigators found no evidence that specific software versions or technical vulnerabilities were targeted; rather, the incident was enabled by social engineering and the compromise of employee credentials and MFA codes.

Figure confirmed the root cause in limited statements, saying the event involved “an employee who was tricked by a social engineering attack” and that only “a limited number of files” had been extracted from its networks. The company has not provided a detailed public accounting of which internal systems were accessed, how customers will be notified, whether regulators or law enforcement have been alerted, or what remediation services will be offered to affected individuals.

ShinyHunters said it published the data after claiming Figure refused to pay an undisclosed ransom demand, a pattern the group has followed in other incidents. The timing of the public disclosure coincided with Figure’s secondary public stock offering, raising questions for investors and regulators about the firm’s disclosure practices and operational risk controls during a sensitive corporate event.

Have I Been Pwned added the entry for the Figure dataset on February 18, enabling customers to check whether their email addresses appear in the breach. Security practitioners stressed the particular danger of SSO account compromise because it can provide attackers with broad access across an organization’s cloud services if impersonated credentials are accepted.

Key details remain unresolved. Figure has not disclosed the full scope of affected data, the duration of unauthorized access, or whether any fraudulent activity tied to the leak has been confirmed. Likewise, there is no public record yet of regulatory filings or a law enforcement investigation in connection with this incident.

For customers concerned about exposure, cybersecurity experts recommend monitoring credit reports, enabling additional protections with lenders and service providers, and exercising caution with unsolicited calls or messages that request account information or one‑time codes. Reported indicators suggest the immediate risk comes from follow‑on targeted scams that weaponize the published personal data.