A data vault cracked open, and nearly a million digital identities spilled into the wild.This time, the fallout traces back to fintech lender Figure, where attackers turned a well-placed conversation into a gateway for mass exposure.According to reporting by TechCrunch and subsequent analysis by Have I Been Pwned, 967,200 customer email records were compromised after a social engineering attack granted unauthorized access to Figure’s internal systems.
Researchers who reviewed the leaked files say the exposed dataset extends beyond basic contact details, adding weight to concerns about how the information could be used.Big archive, bigger exposure surface The published files go beyond email records, containing customer names, dates of birth, phone numbers, and physical addresses linked to individual accounts.Those elements amount to a structured identity profile rather than a basic contact list.
Roughly 2.5 GB of data was posted online by ShinyHunters, suggesting a sizable internal data set.Because birth dates and home addresses are commonly used in identity verification across financial and telecom services, their exposure significantly increases the potential for misuse.A breach that unfolded in stages The intrusion occurred in January 2026, when an employee was reportedly manipulated through a social engineering tactic that granted unauthorized access to internal systems.
The incident remained out of public view until stolen data began circulating online.Figure later confirmed the breach and attributed it to an employee-targeted attack.The breach was later listed on Have I Been Pwned after security researcher Troy Hunt analyzed the exposed records.
Figure, however, did not respond to requests for comment regarding the scope of the exposed data or whether it disputes the independent findings, leaving key details of the incident unaddressed.Identity verification data in the wrong hands The exposed details match the kind of information banks, lenders, and telecom providers often use to confirm someone’s identity.They can make it easier for an attacker to convincingly pose as a real customer.
That kind of data is frequently used in SIM-swap attempts, unauthorized account access, and other forms of financial fraud.And unlike passwords, personal identifiers don’t change, so they can remain useful to criminals long after the initial breach.The playbook ShinyHunters is known for ShinyHunters claimed responsibility for the intrusion.
Instead of locking companies out of their systems, the collective focuses on extracting large datasets and using the threat of public exposure as leverage.The group first drew global attention in 2020 after leaking millions of user records from companies including Tokopedia and fashion retailer Bonobos.In subsequent campaigns, it has been linked to breaches involving Microsoft-owned GitHub repositories, Ticketmaster, and claims targeting Google systems.
Over time, its operations have shifted toward cloud environments, exploiting misconfigured storage, exposed credentials, and weak authentication controls, sometimes using social engineering tactics such as voice phishing to gain access.By early 2026, dozens of attacks had been attributed to the group.Its pattern is consistent: steal sensitive data, publish samples to demonstrate possession, and apply reputational and regulatory pressure through public disclosure.
The appearance of Figure’s data online follows that same blueprint.Microsoft has flagged a high-severity Windows Admin Center vulnerability that could enable elevated access in corporate environments.Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
