Hackers have stolen sensitive personal information tied to nearly one million customer accounts after breaching the systems of Figure Technology Solutions, a U.S.-based blockchain-native financial technology company.

The incident, which was publicly disclosed in mid-February 2026, highlights how social engineering remains one of the most effective tactics for attackers targeting corporate networks — even within heavily regulated and security-focused industries like fintech.

Key Facts

What Happened?

According to security reports, attackers used social engineering tactics to trick a Figure employee and gain access to internal systems. Once inside, the compromise allowed them to exfiltrate a “limited number of files” containing sensitive customer personal information.

Despite not immediately disclosing the scope, third-party breach notification service Have I Been Pwned later revealed that data from 967,200 unique accounts was exposed in the incident, including contact information and dates of birth.

The hacking group ShinyHunters claimed responsibility by listing the stolen data on its dark web leak site — a common tactic used to pressure companies into paying ransoms or to publicly showcase stolen records.

What Type of Data Was Exposed?

While exact file details have not been confirmed by Figure itself, breach analysis indicates that the attackers accessed and leaked sensitive personal data that could be used in fraud, identity theft, or further social engineering attacks:

• Full names

• Email addresses

• Phone numbers

• Physical addresses

• Dates of birth

No indication has been made publicly that financial account numbers, passwords, or direct login credentials were accessed or disclosed.

Risk Profile & Attack Vectors

This incident is part of a continuing trend where attackers leverage social engineering and single-sign-on weaknesses to infiltrate enterprise environments. Techniques such as phishing calls, fake support portals, or credential harvesting on phishing domains are often successful where strong employee training and multi-factor authentication (MFA) are absent or misconfigured.

Once access is gained to one account — particularly one linked to administrative privileges or SSO — attackers can move laterally throughout the environment and access connected data stores.

What This Means for Affected Customers

Individuals potentially impacted by this breach face several cyber risks:

• Identity theft & impersonation: Personal identifiers like birth dates and addresses make phishing and identity fraud more effective.

• Targeted scams: Attackers can craft convincing credential phishing or voice-based social engineering campaigns (vishing).

• Credential stuffing attacks: Though passwords weren’t reported stolen, attackers may attempt to try credentials elsewhere if tied to email addresses.

Affected users should closely monitor financial accounts, enable multi-factor authentication on all services where possible, and consider credit monitoring or identity theft protection services.

Recommended Mitigations

For Individuals:

• Enable MFA on all online accounts

• Monitor credit reports & bank statements

• Be wary of unsolicited calls / emails claiming to be from financial institutions

For Organizations:

• Conduct regular social engineering training & simulations

• Enforce robust MFA, especially on SSO and remote access systems

• Implement continuous monitoring and anomaly detection

• Review incident response and breach disclosure protocols

Final Thoughts

This breach at Figure underscores two enduring truths in cybersecurity:

1. Human factors continue to be the weakest link — attackers frequently exploit social behavior more than technical flaws.

2. Data exposure carries long-term risk — even if financial credentials aren’t stolen, personal data can fuel downstream fraud schemes.

Strengthened training, vigilant monitoring, and layered defenses are critical to safeguarding sensitive information in today’s threat landscape.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.