Fintech Giant Figure Technology Confirms Breach: Nearly 1

Blockchain Fintech Hit in ShinyHunters Campaign

Figure Technology Solutions, a leading fintech firm known for its blockchain-based Home Equity Lines of Credit (HELOCs), has confirmed a data breach affecting nearly 1 million customers. The attack, attributed to the ShinyHunters cybercriminal group, was carried out through a social engineering attack on an employee's Okta SSO credentials.

After Figure refused to pay a ransom, ShinyHunters published 2.5 gigabytes of allegedly stolen data on their dark web leak site.

Breach Details

Attribute	Detail
Affected Customers	~900,000+ (unique email addresses)
Data Exfiltrated	2.5 GB
Attack Vector	Employee Okta SSO credential theft via social engineering
Threat Actor	ShinyHunters
Data Published	Yes — after ransom refusal
Disclosure Timeline	Initial confirmation Feb 13, full scope disclosed Feb 18

Data Exposed

Data Type	Compromised
Email addresses	Yes (~900K unique)
Full names	Yes
Phone numbers	Yes
Physical addresses	Yes
Dates of birth	Yes
Financial account details	Under investigation
Social Security Numbers	Under investigation

The combination of names, addresses, dates of birth, and email addresses creates a high-risk profile for identity theft — particularly given Figure's customer base consists of homeowners with established credit histories and equity.

Attack Chain

1. ShinyHunters identifies Figure employee via LinkedIn/social media
2. Social engineering attack targets employee's Okta SSO credentials
3. Attacker gains authenticated access to Figure's internal systems
4. "A limited number of files" downloaded (per Figure's statement)
5. Files contain ~900K+ customer records totaling 2.5GB
6. ShinyHunters contacts Figure with ransom demand
7. Figure refuses to pay
8. Data published on ShinyHunters' dark web leak site

Figure's Response

Figure's initial statement described the breach as affecting "a limited number of files" — a characterization that drew criticism when subsequent reporting revealed the scope:

February 13 — Figure confirms the breach, describes it as limited
February 18 — Independent analysis reveals nearly 1 million affected customers
Ongoing — Figure offering credit monitoring to affected individuals

The discrepancy between Figure's initial characterization and the actual scale has raised questions about breach disclosure practices in the fintech sector.

The ShinyHunters Playbook

Figure was compromised using the same technique ShinyHunters has deployed against 15+ organizations in 2026:

Target identification — Identify employees at companies using Okta SSO
Vishing/social engineering — Use phone calls (sometimes with deepfake voices) to direct employees to fake SSO portals
MitM credential capture — Proxy credentials and MFA tokens to gain authenticated sessions
Data exfiltration — Download sensitive data from internal systems
Ransom and publish — Demand payment, publish if refused

Why Okta SSO Is the Target

Okta's single sign-on platform is ubiquitous in enterprise environments. Compromising one Okta session grants access to every connected application — CRM systems, databases, cloud storage, and internal tools — making it the most efficient single point of compromise.

Impact for Homeowners

Figure's customer base is predominantly homeowners who have taken out HELOCs (Home Equity Lines of Credit). This demographic is particularly vulnerable to:

Mortgage fraud — Stolen personal data used to file fraudulent liens or refinancing applications
Tax fraud — Dates of birth and addresses enable tax return fraud
Targeted financial phishing — Attackers know the customer has a HELOC and can craft convincing communications
Property-related scams — Physical addresses combined with financial data enable real estate fraud

What Affected Customers Should Do

Enroll in credit monitoring — Accept Figure's offered monitoring services
Place a credit freeze — Contact all three bureaus (Equifax, Experian, TransUnion)
Monitor for suspicious mail — Watch for unexpected financial documents at your home address
Enable fraud alerts — Set up alerts on all financial accounts
Be cautious of HELOC-related communications — Verify independently through Figure's official channels

Key Takeaways

Nearly 1 million customers affected — Far more than Figure's initial "limited" characterization suggested
ShinyHunters' Okta SSO playbook continues to work — Same technique used against 15+ organizations
2.5GB of data published after ransom refusal
Homeowner data is high-value — HELOC customers face elevated identity theft and financial fraud risk
Breach disclosure transparency matters — The gap between "limited files" and ~1M records erodes trust

Sources

Blockchain Fintech Hit in ShinyHunters Campaign

After Figure refused to pay a ransom, ShinyHunters published 2.5 gigabytes of allegedly stolen data on their dark web leak site.

Breach Details

Attribute	Detail
Affected Customers	~900,000+ (unique email addresses)
Data Exfiltrated	2.5 GB
Attack Vector	Employee Okta SSO credential theft via social engineering
Threat Actor	ShinyHunters
Data Published	Yes — after ransom refusal
Disclosure Timeline	Initial confirmation Feb 13, full scope disclosed Feb 18

Data Exposed

Data Type	Compromised
Email addresses	Yes (~900K unique)
Full names	Yes
Phone numbers	Yes
Physical addresses	Yes
Dates of birth	Yes
Financial account details	Under investigation
Social Security Numbers	Under investigation

Attack Chain

1. ShinyHunters identifies Figure employee via LinkedIn/social media
2. Social engineering attack targets employee's Okta SSO credentials
3. Attacker gains authenticated access to Figure's internal systems
4. "A limited number of files" downloaded (per Figure's statement)
5. Files contain ~900K+ customer records totaling 2.5GB
6. ShinyHunters contacts Figure with ransom demand
7. Figure refuses to pay
8. Data published on ShinyHunters' dark web leak site

Figure's Response

Figure's initial statement described the breach as affecting "a limited number of files" — a characterization that drew criticism when subsequent reporting revealed the scope:

February 13 — Figure confirms the breach, describes it as limited
February 18 — Independent analysis reveals nearly 1 million affected customers
Ongoing — Figure offering credit monitoring to affected individuals

The discrepancy between Figure's initial characterization and the actual scale has raised questions about breach disclosure practices in the fintech sector.

The ShinyHunters Playbook

Figure was compromised using the same technique ShinyHunters has deployed against 15+ organizations in 2026:

Target identification — Identify employees at companies using Okta SSO
Vishing/social engineering — Use phone calls (sometimes with deepfake voices) to direct employees to fake SSO portals
MitM credential capture — Proxy credentials and MFA tokens to gain authenticated sessions
Data exfiltration — Download sensitive data from internal systems
Ransom and publish — Demand payment, publish if refused

Why Okta SSO Is the Target

Impact for Homeowners

Figure's customer base is predominantly homeowners who have taken out HELOCs (Home Equity Lines of Credit). This demographic is particularly vulnerable to:

Mortgage fraud — Stolen personal data used to file fraudulent liens or refinancing applications
Tax fraud — Dates of birth and addresses enable tax return fraud
Targeted financial phishing — Attackers know the customer has a HELOC and can craft convincing communications
Property-related scams — Physical addresses combined with financial data enable real estate fraud

What Affected Customers Should Do

Enroll in credit monitoring — Accept Figure's offered monitoring services
Place a credit freeze — Contact all three bureaus (Equifax, Experian, TransUnion)
Monitor for suspicious mail — Watch for unexpected financial documents at your home address
Enable fraud alerts — Set up alerts on all financial accounts
Be cautious of HELOC-related communications — Verify independently through Figure's official channels

Key Takeaways

Nearly 1 million customers affected — Far more than Figure's initial "limited" characterization suggested
ShinyHunters' Okta SSO playbook continues to work — Same technique used against 15+ organizations
2.5GB of data published after ransom refusal
Homeowner data is high-value — HELOC customers face elevated identity theft and financial fraud risk
Breach disclosure transparency matters — The gap between "limited files" and ~1M records erodes trust

Fintech Giant Figure Technology Confirms Breach: Nearly 1

Blockchain Fintech Hit in ShinyHunters Campaign

Breach Details

Data Exposed

Attack Chain

Figure's Response

The ShinyHunters Playbook

Why Okta SSO Is the Target

Impact for Homeowners

What Affected Customers Should Do

Key Takeaways

Sources

Telus Digital Confirms Massive Breach After ShinyHunters

ShinyHunters Dumps Harvard and UPenn Data After Ransom

Hacker Accesses 1.2 Million French Bank Accounts via

Fintech Giant Figure Technology Confirms Breach: Nearly 1

Blockchain Fintech Hit in ShinyHunters Campaign

Breach Details

Data Exposed

Attack Chain

Figure's Response

The ShinyHunters Playbook

Why Okta SSO Is the Target

Impact for Homeowners

What Affected Customers Should Do

Key Takeaways

Sources

Telus Digital Confirms Massive Breach After ShinyHunters

ShinyHunters Dumps Harvard and UPenn Data After Ransom

Hacker Accesses 1.2 Million French Bank Accounts via

Blockchain Fintech Hit in ShinyHunters Campaign

Breach Details

Data Exposed

Attack Chain

Figure's Response

The ShinyHunters Playbook

Why Okta SSO Is the Target

Impact for Homeowners

What Affected Customers Should Do

Key Takeaways

Sources

Related Reading

Blockchain Fintech Hit in ShinyHunters Campaign

Breach Details

Data Exposed

Attack Chain

Figure's Response

The ShinyHunters Playbook

Why Okta SSO Is the Target

Impact for Homeowners

What Affected Customers Should Do

Key Takeaways

Sources

Related Reading