Fintech Lender Figure Confirms Data Breach After Social Engineering Attack
ShinyHunters claims responsibility, says 2.5GB of customer data published after ransom refusal.
Figure Technology, a blockchain-based lending platform, has confirmed a data breach.
The company said the incident began with a social engineering attack targeting an employee.
According to spokesperson Alethea Jadick, hackers accessed and stole “a limited number of files.”
- Attack vector: employee social engineering
- Data stolen: limited number of files
- Company notifying impacted parties
Customer Data Allegedly Exposed
The hacking group ShinyHunters claimed responsibility on its dark web leak site.
The group said Figure refused to pay a ransom and that it published 2.5 gigabytes of stolen data.
TechCrunch reviewed a portion of the dataset.
It included full names, home addresses, dates of birth, and phone numbers.
- Personally identifiable information (PII) exposed
- 2.5GB data dump claimed
- Ransom allegedly refused
Such details are highly sensitive in financial services, where identity theft risks run high.
Okta-Linked Campaign
A member of ShinyHunters told TechCrunch the breach was part of a broader campaign.
The campaign allegedly targeted organizations relying on Okta, a single sign-on provider.
Other reported victims include Harvard University and the University of Pennsylvania (UPenn).
- Alleged Okta-linked attack chain
- Multiple institutional targets
- Coordinated campaign suggested
It remains unclear how deeply Figure’s systems were compromised.
Company Response and Support
Figure said it is communicating with partners and affected individuals.
The company is offering free credit monitoring to those who receive breach notifications.
However, the spokesperson declined to answer detailed questions about scope, detection timelines, or internal security controls.
- Credit monitoring offered
- Direct notifications underway
- Limited public disclosure so far
For a fintech lender handling sensitive financial data, even a “limited” breach can carry outsized consequences.
Is this another warning sign about human-layer vulnerabilities in identity-based access systems?
As attackers increasingly exploit social engineering over technical exploits, even blockchain-era fintech firms remain exposed to old-school tactics.
TL;DR: Figure Technology confirmed a data breach after an employee fell victim to a social engineering attack. Hacker group ShinyHunters claims it published 2.5GB of stolen data, including names, addresses, and dates of birth. Figure is notifying affected individuals and offering free credit monitoring.
AI summary:
- Figure confirms data breach
- Social engineering attack on employee
- 2.5GB data allegedly leaked
- PII including DOB and addresses exposed
- Credit monitoring offered to affected users
