Two security incidents flagged

A flaw in a widely used Android software kit and a separate breach at lender Figure both put large pools of personal data at risk this year. (microsoft.com) Microsoft said on April 9 that researchers found a severe bug in EngageSDK, a third-party Android kit used inside apps, that let another app on the same phone bypass Android’s sandbox and reach private data. Microsoft said more than 30 million installations of third-party crypto wallet apps alone were exposed to risk, including personally identifiable information, user credentials, and financial data. (microsoft.com) Microsoft said EngageLab and Google were notified through coordinated disclosure, and that EngageSDK version 5.2.1 fixed the issue on November 3, 2025. Microsoft also said Google Play removed all detected apps using vulnerable versions and Android added automatic protections for users who had already downloaded them. (microsoft.com) An Android software development kit is a bundle of prewritten code that app makers plug into their own apps for features like messaging, payments, or analytics. When that shared code has a flaw, the weakness can spread across many apps at once, even if each app developer never wrote the vulnerable feature themselves. (microsoft.com) Figure’s incident followed a different pattern: one company held a concentrated set of loan and inquiry records in its own databases. Edelson Lechtzin said on April 9 that Figure Technology disclosed a January 28, 2026 incident in which personal data was accessed through database queries involving loan and inquiry records. (prnewswire.com) The law firm said the data may have included names, Social Security numbers, addresses, phone numbers, email addresses, dates of birth, loan account numbers, and loan information. A separate March 13 notice from Schubert Jonckheer & Kolbe put the number of affected Figure user records at at least 967,000. (prnewswire.com, prnewswire.com) Figure says it is a non-bank lender that offers home equity lines of credit, refinancing, and crypto-backed loans, and its site says its platform has served more than 253,000 households and unlocked more than $22 billion in equity. Its trust center also lists Google Cloud Platform, Experian, CoreLogic, and Method among subprocessors or providers. (figure.com, trust.figure.com) Schubert Jonckheer & Kolbe said the group ShinyHunters used voice phishing against organizations with Okta single sign-on environments and alleged Figure was among them; that claim came from the law firm, not from Microsoft or Figure in the materials reviewed here. Microsoft, by contrast, said it had no evidence the Android SDK flaw had been exploited in the wild as of its April 9 post. (prnewswire.com, microsoft.com) The two cases land on opposite sides of the same security problem: shared code can multiply one defect across many apps, and centralized financial records can turn one intrusion into a breach affecting hundreds of thousands of people. In both cases, the cleanup runs downstream to users, developers, lenders, and anyone whose data sits inside those systems. (microsoft.com, prnewswire.com)