In a stunning blow to blockchain innovation, Figure Technology confirmed it fell victim to a major data breach in mid-February 2026. The publicly traded blockchain-based lending company, known for revolutionizing Home Equity Lines of Credit through faster funding and lower operational costs, now faces a serious security crisis. Just what everyone needed—another reason to question blockchain security.
ShinyHunters hacking group claimed responsibility, releasing 2.5GB of stolen data after Figure refused their ransom demands. Classic extortion playbook. The group operates by stealing data rather than encrypting it, posting samples on dark web leak sites to prove they mean business.
The breach exposed customer full names, home addresses, dates of birth, and phone numbers. Email addresses weren’t stolen, which is something, I guess. TechCrunch verified portions of the leaked data, confirming the exposure of personal identifiers. The number of affected customers remains undisclosed. Convenient.
This wasn’t just a random attack. Figure’s breach was part of a larger hacking campaign targeting users of Okta single sign-on service. Harvard University and the University of Pennsylvania also got hit in the same coordinated attack. A ShinyHunters member revealed Figure’s connection to this broader Okta compromise.
Part of a coordinated assault on Okta users that also targeted Harvard and UPenn. Guess hackers love prestigious company.
So how did they get in? Social engineering—the oldest trick in the book. An employee fell for a phishing scam, handing over credentials that gave attackers access to company systems. The hackers then downloaded a “limited number of files” through the compromised account. The company immediately halted the activity and began assessing the scope of the breach.
Figure responded by halting the malicious activity and hiring a forensics firm to investigate. They’ve notified affected individuals and partners while strengthening security measures. Free credit monitoring and identity theft protection were offered to affected customers. Because nothing says “sorry we exposed your personal data” like free credit monitoring.
With exposed phone numbers and contact details, vishing (voice phishing) presents a heightened concern for victims. Figure is now actively communicating with partners and all individuals who might have been impacted by the data theft. Turns out blockchain doesn’t shield you from good old-fashioned human error.
