Figure Breach – Data of Nearly 1M Customers Posted Online

Figure Technology Solutions’ customer data from roughly 967,200 accounts was posted online in February 2026 after attackers used social engineering to access an employee account and take a limited set of files, according to the company, TechCrunch reporting, and independent analysis from Have I Been Pwned. 

The incident matters because the exposed dataset includes identity data such as names, home addresses, phone numbers, dates of birth, and email addresses, which can enable fraud and targeted scams.

What Happened in the Breach

Figure Technology Solutions said attackers gained access after an employee was “socially engineered,” which let the intruder download a limited number of files through that employee’s account, according to statements cited in TechCrunch and American Banker.

The company said it began communicating with partners and impacted people and offered free credit monitoring to those who receive a notice.

The extortion group ShinyHunters claimed responsibility and posted about 2.4 to 2.5 gigabytes of data on its leak site after it said Figure did not pay, according to TechCrunch, SecurityWeek, and other reporting. TechCrunch said it reviewed a portion of the leaked material and saw customer names, home addresses, dates of birth, and phone numbers.

Timeline: From First Access To Latest Update

Public reporting placed the intrusion in January 2026, with Figure attributing the entry point to social engineering against an employee, according to TechRepublic’s recap of the incident and the breach overview published by Have I Been Pwned. Have I Been Pwned said the exposed data dates back to January 2026.

ShinyHunters posted the stolen archive on February 13, 2026, and Figure confirmed the incident the same day in a statement to TechCrunch that described a limited number of files taken, according to TechCrunch and American Banker. TechCrunch reported that ShinyHunters claimed Figure refused to pay and published roughly 2.5 gigabytes of data.

Security researcher Troy Hunt added the breach to Have I Been Pwned on February 18, 2026, listing 967,200 affected accounts, and TechCrunch reported that analysis the same week. SecurityWeek and TechRepublic published follow up reports on February 19, 2026, reflecting that independent count as the most detailed public sizing as of that date.

What Data Or Systems Were Affected

Have I Been Pwned listed the compromised data fields as names, email addresses, phone numbers, physical addresses, and dates of birth. TechCrunch and SecurityWeek described the same core identity fields after reviewing samples and summarizing what was in the leak.

Figure has not publicly detailed which internal systems were accessed or which repositories produced the files, and the company did not publicly confirm whether sensitive financial data, government identifiers, passwords, or account credentials were included. 

Reporting framed the material as customer identity and contact data tied to Figure accounts and loan related records, with the company describing the theft as a limited set of files rather than a full platform compromise.

Who Was Responsible (Confirmed Vs Alleged)

Figure attributed the breach cause to social engineering of an employee, which is the only confirmed entry method the company has described publicly through statements cited in TechCrunch and American Banker. Public reporting did not cite any law enforcement attribution announcement.

ShinyHunters claimed responsibility for the intrusion and data release, and TechCrunch reported that a member of ShinyHunters tied Figure to a broader campaign aimed at single sign on access. 

That campaign context matches a pattern described by Google Threat Intelligence and Mandiant, which tracked ShinyHunters branded SaaS data theft activity centered on voice based social engineering and credential harvesting, though that broader report did not name Figure in the lines cited here.

How The Attack Worked

Figure has not published a technical postmortem describing the exact sequence, and the company’s public description stopped at “social engineering” against an employee and subsequent file downloads. American Banker reported that Figure blocked the activity and brought in a forensic firm to determine which files were affected.

TechCrunch reported that ShinyHunters connected Figure to an Okta related single sign on campaign, which remains an attacker claim rather than a public Figure confirmation.

Impact and Risks for Customers

The exposed fields create a high value identity profile because names paired with dates of birth, phone numbers, and home addresses are widely used for account recovery, identity checks, and social engineering scripts. Have I Been Pwned and multiple outlets highlighted that the data went beyond a simple contact list.

Common follow on risks include targeted phone scams, SIM swap attempts, synthetic identity fraud, and account takeover attempts against unrelated services where attackers can pass basic verification prompts. Public reporting did not confirm known cases of customer funds theft tied to this incident, and no public notice described reimbursement figures or direct customer losses as of the latest reporting in February 2026.

Company Response And Customer Remediation

Figure said it was communicating with partners and impacted people and offering free credit monitoring to people who receive a notice, according to its statement cited in TechCrunch. American Banker reported that Figure blocked the activity and retained a forensic firm to determine which files were affected, and the company referenced additional safeguards and training in its comments.

Public reporting did not state the credit monitoring provider, the enrollment window, or the duration of coverage, and Figure did not publicly confirm whether it disputes the 967,200 account count published by Have I Been Pwned. TechCrunch reported the company did not respond to detailed follow up questions about scope.

Government, Law Enforcement, And Regulator Actions

Public reporting through February 19, 2026 did not cite a named regulator action, fine, consent order, or public law enforcement statement tied to the Figure incident. The company’s public comments cited in TechCrunch and American Banker focused on internal response, partner communications, and credit monitoring rather than government actions.

Many U.S. breaches lead to notifications that become visible in state level breach portals over time, but no such primary regulator posting was referenced in the sources used for this report. Confirmed public steps in the record remain the company’s statements to the press, the appearance of the dataset online, and the Have I Been Pwned listing.

Financial, Legal, And Business Impact

The breach created immediate liability exposure tied to notification, forensics, credit monitoring, and customer support costs, with longer tail risk tied to fraud claims and litigation. American Banker noted the leak hit during an important market moment for Figure, referencing a secondary offering context while the incident gained attention.

Plaintiff side law firms quickly began advertising investigations and potential claims tied to the incident, which is a common early signal that class action filings may follow. Lynch Carpenter published a press statement saying it was investigating claims after the reported exposure of personal information.

What Remains Unclear About the Breach

Key gaps remain around the precise intrusion date in January 2026, how long the attacker maintained access, which SaaS systems or storage locations were reached, and whether any non public data types beyond the identity fields in the leaked sample were accessed. Figure has not published a public incident report that answers those technical questions.

Unanswered questions remain on whether ShinyHunters contacted Figure with a specific ransom amount, whether negotiations took place, whether any third parties such as vendors or identity providers were involved in the access path, and whether law enforcement received a formal report. Public reporting described the extortion claim and the data posting, but it did not confirm those operational details.

Why This Incident Matters

The Figure case shows how modern intrusions can begin with human focused tactics that bypass technical perimeter defenses, then move directly into cloud data theft for extortion. Google Threat Intelligence described this pattern as vishing plus credential harvesting for single sign on access, followed by SaaS data exfiltration, which matches the attacker narrative reported by TechCrunch in the Figure case.

The incident highlights why phishing resistant MFA and strong identity controls matter for financial services firms and their partners, since attackers can succeed without exploiting a software flaw. Okta’s threat research described how voice based phishing kits can push targets through MFA prompts in real time, which raises the stakes for training, help desk verification, and device based authentication.

How Bright Defense Can Help Reduce Similar Breaches

Bright Defense can reduce the risk of incidents like the Figure breach through penetration testing that focuses on identity and access paths, cloud and SaaS exposures, and the real ways attackers reach data during an extortion attempt. Pen tests can stress test single sign on configurations, MFA flows, session controls, admin roles, and data access boundaries, which are frequent weak points in social engineering driven campaigns.

Continuous compliance from Bright Defense can keep identity, logging, and access controls in a steady state across fast changing environments, with ongoing checks for policy drift and missing guardrails in cloud and SaaS stacks. That steady feedback loop can catch risky changes early, strengthen evidence for audits, and reduce the chance that a single compromised account turns into broad data access.

Sources

This list reflects publicly available reporting and primary technical context published through February 19, 2026, plus reference material accessed on February 22, 2026.

1. TechCrunch — Fintech lending giant Figure confirms data breach (February 13, 2026)
   https://techcrunch.com/2026/02/13/fintech-lending-giant-figure-confirms-data-breach/
2. TechCrunch — Data breach at fintech giant Figure affects close to a million customers (February 18, 2026)
   https://techcrunch.com/2026/02/18/data-breach-at-fintech-giant-figure-affects-close-to-a-million-customers/
3. Have I Been Pwned — Figure Data Breach (February 18, 2026)
   https://haveibeenpwned.com/Breach/Figure
4. BleepingComputer — Data breach at fintech firm Figure affects nearly 1 million accounts (February 18, 2026)
   https://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-figure-affects-nearly-1-million-accounts/
5. SecurityWeek — Nearly 1 Million User Records Compromised in Figure Data Breach (February 19, 2026)
   https://www.securityweek.com/nearly-1-million-user-records-compromised-in-figure-data-breach/
6. American Banker — Data breach hits 1 million Figure customers (February 19, 2026)
   https://www.americanbanker.com/news/data-breach-hits-1-million-figure-customers
7. TechRepublic — Figure Data Breach Exposes Nearly 1 Million Customers Online (February 19, 2026)
   https://www.techrepublic.com/article/news-figure-data-breach-967200-email-records/
8. Google Cloud Blog (Mandiant, Google Threat Intelligence) — Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft (January 31, 2026)
   https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
9. Okta — Phishing kits adapt to the script of callers (January 22, 2026)
   https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
10. Lynch Carpenter LLP — Figure Technology Solutions Data Breach Claims Investigated (February 17, 2026)
    https://lynchcarpenter.com/news/figure-technology-solutions-data-breach-claims-investigated-by-lynch-carpenter/
11. Financial Times Markets — Figure Technology Solutions Inc profile (Accessed February 22, 2026)
    https://markets.ft.com/data/equities/tearsheet/profile?s=FIGR%3ANSQ