Nearly 1 Million Accounts Compromised in Figure Technology Data Breach

Nearly 1 Million People Affected by Figure Technology Data Breach

Every time you apply for a loan online, you hand over a significant amount of personal information — your full name, email address, date of birth, home address, and phone number. Now picture all of that data sitting on a dark web forum, accessible to cybercriminals. For approximately 967,000 people, that is not a hypothetical scenario. It is what happened following a cyberattack on Figure Technology Solutions, a blockchain-based fintech lending company.

What Is Figure Technology Solutions?

Founded in 2018, Figure Technology Solutions operates on the Provenance blockchain, offering services that include lending, borrowing, and securities trading. The company claims to have facilitated over $22 billion in home equity financing through partnerships with banks, credit unions, fintech platforms, and home improvement businesses. Despite its reputation for technological innovation, the company recently fell victim to a serious security incident that had nothing to do with its blockchain infrastructure.

What Happened During the Breach?

According to breach data published by the widely trusted service Have I Been Pwned, the attack exposed information from 967,200 accounts. The compromised dataset included more than 900,000 unique email addresses, along with names, phone numbers, residential addresses, and dates of birth — precisely the kind of information identity thieves need to cause serious harm.

Figure confirmed that the breach was the result of a social engineering attack. In straightforward terms, a company employee was manipulated into granting an unauthorized party access to internal systems.

"We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account," a Figure Technology Solutions spokesperson stated. "We acted quickly to block the activity and retained a forensic firm to investigate what files were affected. We are communicating with partners and those impacted as appropriate, implementing additional safeguards and training to further strengthen our defenses, and offering complimentary credit monitoring to all individuals who receive a notice."

Social Engineering: The Real Threat Behind the Breach

Many people associate blockchain technology with ironclad security. However, the attackers in this case never attempted to break any cryptographic system. Instead, they targeted something far more vulnerable — a human being.

Cybercriminal groups that specialize in social engineering, including the notorious ShinyHunters group which reportedly claimed responsibility for this attack, follow a well-established playbook. According to BleepingComputer, ShinyHunters posted approximately 2.5GB of data allegedly belonging to thousands of loan applicants. The same group has recently been linked to breaches affecting companies such as Canada Goose, Panera Bread, and SoundCloud.

How Social Engineering Attacks Work

Security researchers have identified a consistent pattern in these types of attacks:

• Impersonation — Attackers pose as IT support staff or other trusted figures.
• Urgency creation — Victims are pressured to act quickly without thinking critically.
• Credential harvesting — Employees are directed to fake login pages that closely mirror legitimate company portals.
• Account takeover — Once login credentials and even multi-factor authentication codes are captured, attackers gain access to single sign-on systems connected to platforms like Microsoft and Google.
• Lateral movement — A single compromised account can then unlock access to multiple internal tools and databases.

The terrifying reality is that one well-crafted phone call can be enough to bring down an entire organization's security perimeter.

Why This Breach Should Concern Everyone

Even if you have never interacted with Figure Technology Solutions, this incident carries a broader warning. With enough personal data — a real name, a home address, a phone number — cybercriminals can craft highly convincing phishing emails or impersonation phone scams. They might pose as a lender or bank representative calling about a loan application, and the details they provide could sound entirely legitimate.

As financial services continue their shift to online platforms, the attack surface for cybercriminals expands alongside them. Loan applications, digital identity verification processes, and cloud-based systems offer genuine convenience — but they also create new opportunities for exploitation.

The Limits of Blockchain Security

Figure markets itself as a blockchain-native company, and blockchain does offer meaningful benefits in terms of transparency and cryptographic integrity. However, those protections are rendered irrelevant when attackers bypass the technology altogether and manipulate the people operating it. Security failures most frequently occur at the human layer, and that is exactly where sophisticated threat actors direct their focus.

This breach is a stark reminder that no amount of technical sophistication can fully compensate for a workforce that is not adequately trained to identify and resist social engineering tactics.

Steps to Take If You Were Affected

While you cannot control how third-party companies protect your data, there are concrete actions you can take to reduce your risk.

1. Check Whether Your Email Was Exposed

Visit Have I Been Pwned and enter your email address to determine whether your data appeared in this or other known breaches.

2. Enroll in Credit Monitoring

Figure is offering complimentary credit monitoring to affected individuals. If you receive a notice, take advantage of this service immediately. You can also independently sign up for credit monitoring through services like Experian, Equifax, or TransUnion.

3. Enable Multi-Factor Authentication

Activate multi-factor authentication (MFA) on all accounts where it is available, particularly email, banking, and financial platforms.

4. Update Passwords

Change passwords for any accounts connected to your exposed email address. Use unique, complex passwords for each account and consider using a reputable password manager.

5. Stay Vigilant Against Phishing

Be highly skeptical of unsolicited emails or phone calls referencing your personal details or financial accounts. If someone pressures you to act immediately, treat it as a red flag. Hang up and contact the organization directly using a verified phone number from their official website.

6. Monitor Your Financial Accounts

Regularly review your bank statements and credit reports for unauthorized activity. You can request a free credit report from AnnualCreditReport.com.

7. Consider a Credit Freeze

Placing a credit freeze with the three major credit bureaus — Equifax, Experian, and TransUnion — can prevent new credit accounts from being opened in your name without your authorization.

The Bigger Picture: Technology Is Not Enough

The Figure Technology Solutions data breach is a powerful case study in why cybersecurity cannot rely on technology alone. A single employee, deceived by a convincing social engineering attack, inadvertently exposed the personal information of nearly one million people. That is not a flaw in the blockchain. It is a flaw in how organizations prioritize human-centered security training.

As more sensitive financial transactions move online, companies have a responsibility to invest just as heavily in educating their workforce as they do in deploying advanced technology. Firewalls and encryption matter — but so does knowing how to recognize a fraudulent phone call.

If one manipulative conversation can unlock access to nearly a million records, the industry must ask itself a difficult question: are we doing enough to protect the human element of cybersecurity?