Fintech Firm Figure Suffers Data Breach

- The attack was executed via voice phishing ("vishing"), a social engineering tactic where an employee was tricked by an attacker impersonating IT support to gain their single sign-on (SSO) credentials. - The breach exposed the personally identifiable information (PII) of nearly 1 million individuals, with data breach notification service Have I Been Pwned identifying 967,200 unique accounts. - Exposed data includes full names, email addresses, phone numbers, physical addresses, and dates of birth; however, the company stated that customer funds and passwords remained secure. - ShinyHunters published the data on the dark web after Figure refused to pay a ransom. The group has recently targeted other companies like Panera Bread, Betterment, and SoundCloud using similar social engineering methods. - This incident is part of a broader campaign by ShinyHunters targeting corporate SSO accounts, particularly those managed through identity platforms like Okta. - The breach occurred at a sensitive financial moment for Figure, which had its initial public offering in September 2025 and was in the process of a secondary stock offering. - Figure was founded in 2018 by Mike Cagney and June Ou and is known for using its proprietary Provenance Blockchain for loan origination and other financial services. - In response, Figure has engaged a third-party forensic firm to conduct an audit and is offering complimentary credit monitoring services to those affected by the leak.