Data breach at fintech giant Figure affects close to a million customers

Nearly a million customers impacted

Security researcher Troy Hunt discovered that a data breach at blockchain lender Figure exposed the personal information of 967,200 unique customers. Hunt, who operates the breach notification service Have I Been Pwned, analyzed data allegedly stolen from the company and found a massive cache of sensitive user details. This figure far exceeds the "limited number of files" the company initially claimed were affected.

The leaked database contains more than just email addresses. Hunt’s analysis confirmed the files include names, dates of birth, physical addresses, and phone numbers. This variety of personally identifiable information (PII) provides a roadmap for identity thieves and social engineering attacks.

Figure confirmed the breach occurred last week but declined to provide specific numbers or the exact nature of the stolen data. The company has not yet responded to Hunt’s specific findings or clarified why its initial assessment suggested a smaller impact. The gap between corporate disclosure and independent analysis remains a recurring theme in major cyberattacks.

ShinyHunters claims the attack

The cybercrime collective known as ShinyHunters claimed responsibility for the Figure hack. The group published 2.5 gigabytes of data on its dedicated leak site after Figure reportedly failed to meet extortion demands. ShinyHunters typically uses a "name and shame" tactic to pressure companies into paying ransoms for the deletion of stolen data.

This group has a long history of targeting high-profile tech and finance companies. They previously claimed responsibility for breaches involving AT&T, Ticketmaster, and Santander Bank. Their involvement suggests the attackers used sophisticated methods to bypass Figure’s internal security controls.

The hackers published the data on a site often used to facilitate the sale of stolen information to other criminals. This move indicates that the extortion phase has likely ended and the data is now circulating in the public domain. 967,200 customers must now assume their data is in the hands of multiple malicious actors.

Figure remains quiet on specifics

Figure has not disputed the 967,200 figure provided by Hunt. The company, founded by former SoFi CEO Mike Cagney, specializes in using blockchain technology to streamline home equity lines of credit (HELOCs) and other lending products. This focus on financial services makes the loss of customer data particularly sensitive.

Financial institutions face strict regulatory requirements regarding data protection and breach notification. Figure’s decision to describe the theft as a "limited number of files" may face scrutiny from regulators if the scale of the breach is as large as Hunt suggests. Vague language in the aftermath of a hack rarely ages well once researchers dig into the logs.

The company has not clarified whether it has begun notifying the nearly one million affected individuals. Standard practice in these incidents involves offering credit monitoring services to victims. However, Figure has not yet publicly committed to these remedies or provided a timeline for its internal investigation.

What the leaked data contains

The 2.5 gigabytes of data represents a significant threat to Figure’s user base. Because Figure deals in loans and financial products, the customers involved likely provided high-accuracy data to verify their identities. This makes the information more valuable to hackers than data from a standard social media leak.

The breach includes several critical data points that criminals use to build profiles on victims. These include:

• Full legal names used for financial applications
• Physical home addresses linked to property loans
• Dates of birth used for identity verification
• Phone numbers often used for two-factor authentication
• Unique email addresses associated with Figure accounts

The exposure of physical addresses is particularly concerning for a lending company. Since Figure specializes in HELOCs, the leaked data likely identifies the specific residential properties of its customers. This adds a layer of physical privacy risk to the standard digital threats associated with data breaches.

The risk of identity theft

Identity theft remains the primary concern for the 967,200 people on this list. Armed with a name, date of birth, and address, criminals can attempt to open fraudulent accounts or take over existing ones. This isn't just about spam emails; it's about the integrity of a person's financial life.

Security experts recommend that Figure customers immediately freeze their credit reports with major bureaus. This prevents unauthorized parties from opening new lines of credit using the stolen information. Customers should also remain vigilant against "phishing" attempts that use their specific loan details to appear legitimate.

Troy Hunt’s Have I Been Pwned service has already integrated the Figure data. Users can check the site to see if their email address was part of the 967,200 records. This independent verification often serves as the only way for consumers to learn the truth while companies navigate their legal and PR responses.

Fintech security under pressure

The Figure breach highlights the ongoing security challenges facing the fintech and blockchain sectors. These companies often market themselves as more secure and efficient than traditional banks. However, the ShinyHunters attack proves that even blockchain-based firms are vulnerable to traditional data exfiltration techniques.

Figure uses the Provenance blockchain to record and service its loans. While the blockchain itself may remain secure, the centralized servers where Figure stores customer PII are often the weakest link. Hackers target these traditional databases because they contain the readable, unencrypted personal data that blockchain entries often lack.

This incident will likely increase pressure on fintech startups to adopt more rigorous security audits. As more people move their financial lives to digital-first lenders, the incentive for groups like ShinyHunters to target these platforms grows. For now, nearly a million Figure customers are left waiting for a more transparent explanation from the company they trusted with their homes and identities.