TL;DR: Figure Technology Solutions, America's largest non-bank HELOC lender with $17 billion in home equity loans originated, confirmed that attackers stole data on 967,000 customers in January 2026. ShinyHunters claims responsibility and leaked 2.5 GB of stolen data on its dark web site after Figure refused to pay ransom. The attack vector: a single employee tricked by a phone call. ShinyHunters says Figure was one of 100+ companies targeted through Okta single sign-on vulnerabilities. This is the third fintech hit by the same playbook in six weeks.
What Happened
In January 2026, someone called a Figure employee and talked them into handing over access credentials. That's it. No zero-day exploit. No sophisticated malware. A convincing voice on a phone line [1].
Figure describes it as being "deceived in a social engineering attack that enabled unauthorized access to a limited number of files." That "limited number of files" contained personal information on close to a million people who had applied for home equity loans [2].
The company confirmed the breach on February 13 after TechCrunch confronted them with evidence of the stolen data circulating online. Figure didn't publish a breach notice on its website. They didn't issue a press release. They waited until journalists showed up asking questions.
What Was Stolen
According to Have I Been Pwned, the breach exposed 967,200 unique email addresses. But email addresses were the least of it. The stolen data includes [3]:
- Full names
- Email addresses
- Phone numbers
- Physical home addresses
- Dates of birth
This is people who applied for home equity loans. That means their home addresses are confirmed: they own property at those locations. Combined with dates of birth and phone numbers, it's a gift-wrapped package for identity thieves.
ShinyHunters published 2.5 gigabytes of data on their leak site after Figure refused to pay the ransom [4].
ShinyHunters and the Okta Campaign
ShinyHunters claimed responsibility for the Figure breach, and it wasn't a solo hit.
According to researchers at Silent Push, ShinyHunters has been running a large-scale "vishing" campaign targeting over 100 companies that use Okta single sign-on (SSO) [5]. The attack works like this:
- They register fake domains that look like company login portals
- They call employees, pretending to be IT support
- While the victim is on the phone, attackers remotely control which pages appear in the victim's browser
- They walk the victim through entering their credentials and MFA codes
- The attackers capture everything in real-time and gain full access
A ShinyHunters member told The Register that Figure was targeted as part of this broader campaign against companies using Okta [6].
The campaign has been devastating. ShinyHunters has leaked data from Crunchbase, SoundCloud, and confirmed to reporters that they accessed both Crunchbase and Betterment by voice-phishing Okta SSO codes.
Third Fintech in Six Weeks
Figure isn't alone. The same playbook has burned multiple financial services companies this year:
- January 9, 2026: Betterment breach: 1.4 million users exposed, social engineering attack via Okta SSO, ShinyHunters claimed responsibility
- January 2026: Figure breach: 967,000 users exposed, same attack pattern
- December 2025: Aflac breach: 22.65 million people exposed, Scattered Spider used social engineering to access insurance giant
The pattern is clear: financial services companies are sitting ducks for voice phishing. Their employees have access to sensitive data. Their IT help desks are trained to be helpful. And attackers have learned that a well-crafted phone call beats hacking a firewall every time.
Who Is Figure?
If you don't know Figure, you probably should. They're the largest non-bank HELOC lender in America [7].
Founded in 2018 by Mike Cagney (who also founded SoFi), Figure has originated over $17 billion in home equity loans. Their whole pitch is using blockchain technology to make home equity loans faster and cheaper.
The company operates on the Provenance Blockchain, uses smart contracts to manage loans, and has been positioning itself for a $400 million IPO [8]. They've partnered with Sixth Street on a $2 billion joint venture for the non-agency mortgage market.
In other words: they're a major financial player holding extremely sensitive data on nearly a million homeowners. And they got owned by a phone call.
Figure's Response
Figure is offering affected customers free credit monitoring services. That's standard practice: the bare minimum after you've leaked someone's personal data.
What they haven't done:
- Published a breach notice on their website
- Issued a public statement explaining what happened
- Detailed what security improvements they're making
- Explained how they'll prevent this from happening again
When TechCrunch asked detailed questions about the breach's scope, Figure "declined to answer" [9].
What You Should Do
If you've ever applied for a loan through Figure, whether a HELOC, cash-out refinance, or crypto-backed loan, assume your data was compromised.
- Freeze your credit at all three bureaus: Equifax, Experian, TransUnion. Don't just monitor, freeze. This stops new accounts from being opened in your name.
- Watch for targeted scams. Attackers know your name, address, and that you own property. Expect sophisticated phishing attempts pretending to be from mortgage companies, tax authorities, or title insurance firms.
- Check for unauthorized property liens in your county records. Home equity fraud is real and devastating.
- Enroll in the credit monitoring Figure is offering. It's the least they can do, and it's free.
- File an IRS Identity Protection PIN to prevent tax fraud using your stolen personal information.
The Bigger Picture
Voice phishing is eating the financial services industry alive.
Scattered Spider talks their way into insurance companies. ShinyHunters talks their way into fintech platforms. The technical controls don't matter when someone picks up the phone and says "Hi, this is IT support, I need you to verify your login."
Multi-factor authentication was supposed to be the answer. But when attackers are on the phone with victims in real-time, watching them enter their MFA codes on fake portals, that protection evaporates.
The companies getting breached have billions of dollars, armies of security engineers, and enterprise security tools. None of that matters when the attack vector is a convincing phone call to an employee who's just trying to be helpful.
Until financial services companies figure out how to protect against social engineering (really protect against it, not just check a box on a security audit) expect more of these.
References
- Cyber Insider: Fintech lender Figure hit by data breach impacting 967k accounts (February 2026)
- Security Affairs: Fintech firm Figure disclosed data breach after employee phishing attack
- Have I Been Pwned: Figure Data Breach
- The Register: ShinyHunters claims Okta customer breaches, leaks data (January 2026)
- CyberScoop: A new wave of 'vishing' attacks is breaking into SSO accounts in real time
- Industrial Cyber: Silent Push details human-led ShinyHunters phishing campaign targeting Okta SSO accounts
- Figure: America's #1 Non-Bank HELOC Lender
- Renaissance Capital: Figure Technology Solutions files for an estimated $400 million IPO
- BleepingComputer: Data breach at fintech firm Figure affects nearly 1 million accounts