Security researcher finds 967,200 Figure emails after ShinyHunters leak

Security researcher Troy Hunt of Have I Been Pwned identified 967,200 unique email addresses tied to customers of Figure Technology Solutions after a cybercrime group published roughly 2.5 gigabytes of files it says were stolen from the fintech lender. The dataset, posted by the group ShinyHunters, also included customer names, dates of birth, physical mailing addresses and phone numbers, according to Hunt and subsequent reporting.

Figure, a blockchain-native home-equity lender listed on Nasdaq as FIGR and led by CEO Michael Tannenbaum, confirmed a security incident but offered limited detail. The company said attackers had stolen “a limited number of files.” A Figure spokesperson told TechCrunch, as reported by Cybernews, that the breach stemmed from “an employee who was tricked by a social engineering attack.” Figure did not respond to follow-up requests asking whether it disputes Hunt’s findings or to elaborate on what specific records were taken.

ShinyHunters claimed responsibility and published the trove on its leak website, which the group uses to pressure victims and make stolen data public when extortion demands fail. Cybernews reported that Have I Been Pwned’s entry notes the exposed customer data dates back to January 2026. The security outlet also warned the listing “details names, contact information, and birth dates – data that could fuel fraud and targeted scams.”

The incident has immediate market and legal implications for Figure. Large-scale disclosures of personal data tend to trigger customer attrition, remediation costs and regulatory scrutiny. Woodslaw (Woods Lonergan PLLC), which is monitoring the incident, is advertising legal services to potentially affected individuals and points to prior breach settlements it says it helped secure, including a $30 million 23andMe settlement and an $18 million Yale New Haven settlement. The firm is inviting potential plaintiffs to call (332) 378-0376 or email loganlowe@woodslaw.com for a free consultation and says it takes no fees unless clients win.

Security analysts are also flagging a broader attack vector. Cybernews noted the breach appears tied to a wider Okta vishing campaign that has targeted single sign-on credentials at financial firms, a pattern consistent with ShinyHunters’ prior activity. If SSO or credential theft played a role, the risk extends beyond direct disclosure of contact data to potential account takeover and downstream fraud, though there is no public confirmation that financial account numbers, government ID numbers or passwords were included in the published files.

As of the latest reporting, there are no confirmed incidents of financial theft traced to the published dataset. Key open questions remain: whether Figure disputes the 967,200 email-count, exactly what files were in the 2.5GB bundle, whether any credential material or account numbers were exposed, and what remediation the company is offering affected customers.

For consumers who believe they may be affected, experts recommend heightened vigilance: monitor bank and credit-card statements, review credit reports, be cautious of unsolicited calls or texts asking for verification or account details, and consider placing fraud alerts with credit bureaus. Legal counsel such as Woodslaw is available for those seeking representation, reachable at (332) 378-0376 or loganlowe@woodslaw.com.

Reporters and regulators will be watching whether Figure provides a fuller forensic account and whether this episode spurs broader industry action around vishing and SSO protections for financial firms.