Figure Blockchain Lender Confirms Customer Data Breach Following Social Engineering Attack

TLDR:

• Figure Technology employee tricked in social engineering attack enabling unauthorized data access 
• ShinyHunters published 2.5GB of customer data including names, addresses, and phone numbers 
• Attack part of broader campaign targeting companies using Okta single sign-on authentication 
• Figure offers free credit monitoring and maintains customer funds remain secure despite breach
  

Figure Technology disclosed a customer data breach on Friday after an employee fell victim to a social engineering attack.

The blockchain lender confirmed that hackers accessed limited customer files through the compromised account. Hacking group ShinyHunters claimed responsibility for the incident and published approximately 2.5 gigabytes of stolen data. The company has launched a forensic investigation and implemented additional security measures.

Attack Details and Compromised Information

Figure explained the breach in a statement, noting that attackers manipulated an employee through deceptive tactics to gain unauthorized system access.

“We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account,” the company said. Figure identified the incident quickly and responded to contain the threat.

The lender emphasized its swift response to the security incident. “We acted quickly to block the activity and retained a forensic firm to investigate what files were affected,” Figure stated. The company worked to determine the full scope of compromised data following the discovery.

ShinyHunters stated that Figure refused to pay a ransom demand before publishing the stolen data. TechCrunch reviewed portions of the leaked files and confirmed they contained sensitive customer information.

The exposed data includes full names, home addresses, dates of birth, and phone numbers of affected individuals.

The New York-based lender specializes in home equity lines of credit using its Provenance blockchain platform. Founded in 2018, Figure went public in September 2025 under ticker symbol FIGR.

The initial public offering raised $787.5 million and valued the company at approximately $5.3 billion.

Broader Campaign and Company Response

A ShinyHunters member told TechCrunch the attack was part of a larger campaign targeting organizations using Okta single sign-on services.

Harvard University and the University of Pennsylvania were among other alleged victims in this widespread operation. The connection suggests a coordinated effort exploiting vulnerabilities in shared authentication systems.

Figure is communicating with partners and affected customers about the breach. “We are offering complimentary credit monitoring to all individuals who receive a notice,” the company said. These protective measures aim to help customers guard against potential identity theft or fraud.

The lender reassured customers about account security despite the data exposure. “We continuously monitor accounts and have strong safeguards in place to protect customers’ funds and accounts,” Figure stated. The company maintains that customer funds remain secure throughout the incident.

Data breaches have become increasingly common across industries in recent years. Privacy Rights Clearinghouse reported over 8,000 notification filings in 2025 tied to more than 4,000 separate incidents. These breaches affected at least 374 million people throughout the year.

Figure announced a secondary public offering on the same day as the breach disclosure. The company plans to offer up to 4.23 million shares of Series A Blockchain Common Stock.

The stock closed Friday up 3.57% at $35.29, though it has declined 37% over the past month.