Figure Lending breach under investigation

A lender that advertises five-minute prequalification and funding in as little as five days is now dealing with a breach notice tied to data pulled from its loan databases. Figure says evidence showed personal information was obtained on January 28, 2026 through queries on databases holding loan and loan-inquiry records. (oag.ca.gov) The law firm Edelson Lechtzin said on April 9, 2026 that it is investigating the incident and described the affected population as nearly 1 million users. Its notice says the data may include names, Social Security numbers, addresses, phone numbers, email addresses, dates of birth, loan account numbers, and loan information. (prnewswire.com) Figure’s own sample breach notice is narrower than the law firm’s description. In the California filing, Figure says the affected information for that notice included a name, address, bank account number, and bank routing number, and it says there was no evidence of unauthorized access to customer accounts or funds. (oag.ca.gov) That gap matters because breach notices are often personalized. One customer can get a letter listing bank details, while a law firm reviewing the wider incident can point to a larger menu of data types found across the full affected group. (oag.ca.gov) (prnewswire.com) Figure is not a tiny niche app. Its business is home equity lending, which means borrowers hand over the financial equivalent of a full mortgage folder: identity details, property details, income details, and banking details. Figure’s own site calls it the “#1 non-bank home equity line of credit in the U.S.” and says many loans can skip an in-person appraisal for amounts under $400,000. (figure.com) A home equity line of credit is basically a credit card secured by your house. To issue one, a lender needs enough information to verify who you are, what you own, how much you owe, and where money should move. (figure.com) (forbes.com) That is why breaches at lenders hit differently from breaches at stores. A stolen retail account might expose an email and password, but a lending file can expose the pieces needed for bank fraud, loan fraud, tax scams, or synthetic identity theft. (prnewswire.com) The public record is still thin on the technical cause. Figure’s notice says “unauthorized activity” was discovered and stopped, while a separate lawsuit filed on February 19, 2026 alleges a social-engineering attack and says the hacking group ShinyHunters claimed responsibility, but those allegations come from the complaint, not from Figure’s notice. (oag.ca.gov) (classaction.org) The timeline is also split across filings. The law firm notice points to January 28, 2026 as the date data was obtained through database queries, while the lawsuit article says the attack was discovered on or around February 14, 2026. (prnewswire.com) (classaction.org) Figure says it brought in a cybersecurity firm, notified law enforcement, and is offering two years of free credit monitoring and identity restoration through TransUnion, with enrollment by May 31, 2026. That is the standard cleanup package after a breach, but it does not put bank account numbers or loan histories back in the bottle. (oag.ca.gov) What happens next will likely turn on details that are still missing: exactly how many people were affected, exactly which data fields were exposed across the whole group, and whether Figure’s security controls matched the sensitivity of mortgage-style borrower files. Those answers usually emerge in regulator filings, court complaints, and revised customer notices weeks or months after the first press release. (prnewswire.com) (classaction.org)