Nearly 1 million accounts exposed in Figure Technology data breach claimed by ShinyHunters

Hackers have stolen personal and contact information tied to 967,200 accounts after breaching the systems of Figure Technology Solutions, a San Francisco-based blockchain-native financial technology firm specializing in home equity lending.

The intrusion, which dates back to January 2026, was attributed to a social engineering attack in which an employee was tricked into providing access to company systems. The stolen data was publicly posted online in February, prompting broader scrutiny of the incident.

Figure, founded in 2018, operates on the Provenance blockchain and facilitates lending, borrowing and securities trading. The company reports having unlocked more than $22 billion in home equity through partnerships with more than 250 banks, credit unions, financial technology firms and home improvement companies.

Company representatives described the breach as involving “a limited number of files” extracted from internal networks. The company confirmed it is communicating with partners and affected individuals and is offering free credit monitoring services to those who receive notification.

Details of the breach were added Wednesday to Have I Been Pwned, which identified exactly 967,200 impacted customer accounts. The exposed data includes more than 900,000 unique email addresses along with names, phone numbers, physical addresses and dates of birth. The information could increase the risk of identity theft, loan fraud and targeted phishing campaigns against affected individuals.

The cybercrime group ShinyHunters claimed responsibility for the breach and listed Figure on its dark web leak site. The group published approximately 2.5 gigabytes of data allegedly taken from thousands of loan applicants after claiming the company declined to pay an undisclosed ransom demand.

An unverified post on the BreachForums marketplace alleged that the stolen material also included HubSpot CRM data, know-your-customer information, applicant records, employee data and stakeholder information.

ShinyHunters has recently claimed similar intrusions at several major organizations, including Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub and CrowdStrike. While not all incidents are believed to be linked, some victims were targeted in a broader voice phishing campaign focused on compromising single sign-on credentials.

That campaign involved attackers impersonating IT support staff and persuading employees to enter credentials and multi-factor authentication codes into phishing sites mimicking legitimate login portals. Once inside, attackers could pivot across enterprise applications connected to single sign-on environments.

As part of the same wave of activity, ShinyHunters also breached Match Group, which owns platforms including Tinder, Hinge, Match.com and OkCupid.

The group has also targeted financial advisory firms Mercer Advisors and Beacon Pointe Advisors in recent weeks, claiming to have obtained millions of client records. Both firms remain listed on the group’s leak site.

Figure’s investigation into the January breach remains ongoing as cybersecurity experts continue to analyze the scope of the exposure and its potential downstream impact.