- Key insight: Attackers are bypassing technical security by impersonating IT staff and tricking employees into handing over credentials.
- What’s at stake: The leak hits Figure during a critical financial window, coinciding with the pricing and upsizing of a secondary stock offering.
- Supporting data: The breach exposes approximately 967,000 unique email addresses, along with names, physical addresses and dates of birth.
Overview bullets generated by AI with editorial review
Processing Content
A data breach extortion group has leaked personal information from nearly 1 million customer accounts, stolen from blockchain-based lender Figure Technology Solutions.
Data breach notification service Have I Been Pwned added the incident to its database on Wednesday, noting that the exposure impacts approximately 967,000 unique email addresses, along with names, physical addresses, phone numbers and dates of birth.
The threat actor group ShinyHunters claimed responsibility for the attack and the subsequent data leak. The group has targeted several financial technology companies in recent months not with exploits of technical vulnerabilities but social engineering tactics — manipulating employees rather than hacking computer systems.
A spokesperson for Figure told American Banker that the breach occurred when “an employee was socially engineered, and that allowed an actor to download a limited number of files through their account.” The spokesperson said the company “acted quickly to block the activity and retained a forensic firm to investigate what files were affected.
“We understand the importance of these matters and are communicating with partners and those impacted as appropriate,” Figure’s spokesperson said. “We are also implementing additional safeguards and training to further strengthen our defenses.”
ShinyHunters claimed on its data leak site that it stole over 1 million records with personally identifiable information. The group also published supposed screenshots of internal Slack conversations between Figure employees about the threat actor’s tactics.
While the database appeared on Have I Been Pwned on Wednesday, the threat group ShinyHunters originally posted the data on its victim shaming and data leak site on Feb. 13.
ShinyHunters mocked the lender’s management in a message posted alongside the leaked data, saying the company “decided to waste time and hide instead because their leadership is a mess.”
The incident at Figure follows a similar breach at robo-advisor Betterment, a breach for which ShinyHunters also claimed responsibility. In that incident, which Betterment disclosed in January, the threat group listed a database it alleged contained over 2 million records.
Security researchers attribute these breaches to a broader campaign of social engineering. According to a January report from Google Threat Intelligence, actors associated with ShinyHunters branding have escalated operations using sophisticated voice phishing, or “vishing.”
“Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations,” reads the Google report.
In these attacks, threat actors impersonate IT staff and call employees at victim organizations, claiming the company is updating multifactor authentication settings.
The attackers then direct employees to victim-branded credential harvesting sites to capture single sign-on credentials and authentication codes.
Once inside, the attacker targets cloud-based software-as-a-service applications to steal sensitive data.
The incident comes at a sensitive time for Figure, which recently completed its initial public offering and is currently executing a secondary stock offering. Figure launched its initial public offering in September 2025.
Figure recently reported strong financial results for its first quarter as a public company. Net income more than tripled year over year to $90 million for the third quarter of 2025, according to a November earnings release.
On Feb. 13 — the same day ShinyHunters posted the stolen data and Slack screenshots — Figure announced the launch of a secondary public offering of over 4 million shares of its stock. The company announced the pricing and upsizing of that offering on Wednesday.
Figure claims to be the largest nonbank home equity line of credit lender in the U.S.
The company is offering complimentary credit monitoring to all individuals who received a notice. “We continuously monitor accounts and have strong safeguards in place to protect customers’ funds and accounts,” a company spokesperson said.