Figure Technology Data Breach: Hackers Dump 2.5GB Stolen Records

Figure Technology data breach infographic showing ShinyHunters leaked 2.5GB customer data with broken shield security icon

⚡ Key Highlights

Figure Technology confirmed a data breach on February 13, 2026, caused by a social engineering attack targeting a single employee
Hacking group ShinyHunters claimed responsibility and published ~2.5GB of stolen data after Figure refused to pay a ransom
Exposed customer data includes full names, home addresses, dates of birth, and phone numbers
The breach is linked to a broader Okta SSO campaign — other alleged victims include Harvard University and the University of Pennsylvania
Figure is a Nasdaq-listed blockchain lending company (ticker: FIGR) that raised $787.5M in its September 2025 IPO at a ~$5.3B valuation
Figure is offering free credit monitoring to all affected customers and has engaged a forensic investigation firm

Figure Technology Data Breach: ShinyHunters Dumps 2.5GB of Stolen Customer Data

Figure Technology, a Nasdaq-listed blockchain lending company, confirmed on February 13, 2026 that attackers had compromised customer data through a targeted social engineering attack on one of its employees.^[TechCrunch] The hacking collective ShinyHunters subsequently published approximately 2.5 gigabytes of stolen customer data on the dark web after Figure refused to pay a ransom demand — exposing names, addresses, dates of birth, and phone numbers of affected customers.

The breach raises serious questions about cybersecurity standards across the blockchain fintech sector. Figure operates on the Provenance blockchain and has originated over $20 billion in on-chain credit — yet the attack bypassed its blockchain infrastructure entirely, exploiting human vulnerability rather than any technical flaw. It is a stark reminder that building on decentralised technology does not protect against one of the oldest attack vectors in cybersecurity: manipulating people.

2.5GB

Data Dumped Online

$5.3B

Figure IPO Valuation

Data Types Exposed

Ransom Paid

What Happened: The Figure Technology Data Breach Explained

According to a statement shared with TechCrunch, Figure spokesperson Alethea Jadick confirmed the breach originated when an employee was deceived through a social engineering attack. This manipulation gave attackers access to internal systems, from which they downloaded what the company described as “a limited number of files.” Figure moved swiftly to block the suspicious activity and engaged a forensic investigation firm to determine the full scope.

ShinyHunters claimed responsibility on its dark web leak site — stating that Figure had declined to pay a ransom demand — and published approximately 2.5 gigabytes of data purportedly taken from the company’s systems. TechCrunch reviewed a portion of the leaked files and confirmed they contained sensitive personally identifiable information including customers’ full names, home addresses, dates of birth, and phone numbers.^[Decrypt]

“We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account.”

— Figure Technology spokesperson Alethea Jadick, via TechCrunch, February 13, 2026

Key Facts at a Glance

Detail	Information
Company	Figure Technology (Nasdaq: FIGR)
Breach Confirmed	February 13, 2026
Attack Type	Social Engineering (employee manipulation)
Threat Actor	ShinyHunters
Data Published	~2.5 GB (after ransom refusal)
Exposed Information	Full names, home addresses, dates of birth, phone numbers
Linked Campaign	Okta SSO exploitation — also targeted Harvard & UPenn
Blockchain System Breached?	No — Provenance blockchain was not affected
Company IPO Valuation	~$5.3 Billion (September 2025, raised $787.5M)

How the Breach Happened — And Why It Matters

The attack vector was not a sophisticated blockchain exploit or a zero-day vulnerability in Figure’s infrastructure. It was a social engineering campaign — a targeted manipulation of a single employee that gave attackers access to internal systems through that person’s legitimate account credentials.

A critical detail reported by Decrypt: a member of ShinyHunters told TechCrunch the Figure breach was part of a broader coordinated campaign targeting companies that rely on Okta — a widely used single sign-on (SSO) authentication provider. Other alleged victims in this campaign reportedly include Harvard University and the University of Pennsylvania. This is not an isolated incident but part of a multi-target operation exploiting shared identity infrastructure.

🔍 What Is the Okta Connection?

Okta is one of the world’s most widely used enterprise identity platforms — companies use it to give employees single sign-on access to multiple internal systems with one set of credentials.

When attackers compromise an Okta-linked account — either by tricking an employee or stealing credentials — they can potentially access every system that employee has permission to use. This is why a single social engineering attack on one person at Figure was enough to access internal customer files.

The lesson: Even the most secure blockchain infrastructure is only as strong as the identity management layer sitting in front of it. A compromised SSO credential bypasses technical defences entirely.

Who Are ShinyHunters — The Group Behind the Figure Breach?

ShinyHunters is one of the most prolific and active data theft groups operating today. Unlike ransomware operators who encrypt victim systems and demand payment to restore access, ShinyHunters specialises in data exfiltration and extortion — stealing sensitive files, demanding payment not to publish them, and releasing everything publicly when victims refuse to pay.

The group has been linked to high-profile breaches across multiple industries including finance, healthcare, and technology. Their playbook is consistent: compromise an employee account, extract valuable data, post proof on dark web leak sites, issue a ransom demand, and publish everything if payment is refused. In the Figure Technology breach, ShinyHunters followed this exact pattern to the letter.

Their targeting of companies that share common authentication infrastructure — like Okta SSO — represents an evolution in their approach. Rather than attacking individual companies one at a time, they identify shared infrastructure used across thousands of organisations and exploit it systematically, dramatically increasing the scale and efficiency of their campaigns.^[TechCrunch]

Breach Timeline

Unknown Date (Pre-February 13)

Employee targeted via social engineering

A Figure employee is manipulated through a social engineering attack — likely a phishing email, phone call, or fake IT request. The attacker gains access to the employee’s internal account credentials via Okta SSO.

Pre-February 13, 2026

Customer files downloaded through compromised account

Using the employee’s credentials, the attacker downloads customer files containing names, addresses, dates of birth, and phone numbers. Figure’s systems detect the suspicious activity and block further access.

Pre-February 13, 2026

ShinyHunters issues ransom demand — Figure refuses

ShinyHunters contacts Figure demanding payment in exchange for not publishing the stolen data. Figure refuses to pay. ShinyHunters posts approximately 2.5GB of stolen data on its dark web leak site.

February 13, 2026 — Breach Confirmed

Figure publicly confirms the breach via TechCrunch statement

Figure spokesperson Alethea Jadick confirms the breach to TechCrunch. The company states it is communicating with partners and affected individuals, engaging a forensic investigation firm, and offering free credit monitoring to all impacted customers.

February 13–16, 2026

Investigation ongoing — full scope not yet disclosed

Figure has not disclosed the total number of customers affected, the exact date the intrusion was first detected, or the full technical scope of the breach. The forensic investigation is ongoing.

The Bigger Picture: Crypto and Fintech Security in 2026

The Figure breach is not an isolated incident — it is part of an accelerating trend of attacks targeting crypto and blockchain companies through human vulnerabilities rather than technical exploits. According to Chainalysis, the crypto industry saw over $3.4 billion in theft during 2025, with social engineering and credential theft accounting for an increasingly large share of incidents.

The Ledger data breach of 2020 is the most instructive comparison. When Ledger’s customer database was leaked, exposing 270,000 customers’ physical addresses and phone numbers, it triggered a wave of phishing attacks and physical threats against hardware wallet owners that lasted for years. The Figure breach exposes the same categories of data — names, addresses, dates of birth, phone numbers — to the same risks.

The critical lesson from both incidents: blockchain infrastructure was not the weak point. In both cases, centralised databases of customer information sitting behind conventional security systems were the vulnerability. As the crypto industry continues to mature and go public, the gap between decentralised on-chain infrastructure and centralised off-chain customer data management is increasingly becoming the primary attack surface.

📊 Crypto Security Incidents — 2025–2026 Context

$3.4 billion stolen from crypto companies in 2025 — Chainalysis annual report

$1.5 billion of that total from the Bybit breach alone (February 2025)

$17 billion+ stolen via AI-driven impersonation scams in 2025 — Chainalysis

8,000+ data breach notification filings recorded by regulators in 2025, affecting 374 million individuals — Privacy Rights Clearinghouse^[Decrypt]

76% of stolen crypto funds in 2025 came from infrastructure attacks targeting people and processes — not code vulnerabilities

What Figure Technology Customers Should Do Right Now

If you are a Figure customer or have applied for a Figure product, take these steps immediately — regardless of whether you have received a breach notification letter yet:

Enrol in Free Credit Monitoring

Figure is offering free credit monitoring to all individuals who receive a breach notice. Contact Figure directly to enrol. Additionally, consider placing a fraud alert or credit freeze with Equifax, Experian, and TransUnion to prevent unauthorised accounts being opened in your name.

Be Extremely Cautious of Unsolicited Contact

The exposed data — names, addresses, birth dates, phone numbers — is exactly what enables convincing impersonation scams. Be suspicious of any unsolicited calls, emails, or messages claiming to be from Figure, your bank, or government agencies. Generative AI voice cloning makes these scams increasingly convincing even with minimal audio samples.

Review All Financial Accounts for Unauthorised Activity

Check your bank accounts, credit cards, and any financial platforms for unusual transactions or account changes. Update passwords — especially if you reused credentials across multiple services — and enable multi-factor authentication (MFA) on all financial and email accounts.

Monitor for Phishing Attempts

Scammers often wait weeks or months after a breach before using stolen data, allowing initial awareness to fade. Set a reminder to stay vigilant for the next 12 months. Be especially wary of emails or messages that reference personal details — knowing your name, address, or date of birth does not mean the sender is legitimate.

Frequently Asked Questions

❓ Was Figure’s blockchain system hacked?

No. Figure’s Provenance blockchain infrastructure was not breached. The attack targeted a centralised employee account through social engineering — the attacker manipulated an employee into granting access to internal files. The blockchain system itself was not compromised.

❓ How many Figure customers were affected by the data breach?

Figure has not disclosed the total number of affected customers. The company described the breach as involving “a limited number of files” but ShinyHunters published approximately 2.5GB of data. The forensic investigation is ongoing and Figure has not confirmed full scope as of February 16, 2026.

❓ What is ShinyHunters and have they breached other companies?

ShinyHunters is a prolific hacking collective that specialises in data theft and extortion. They steal sensitive data, demand ransom to suppress it, and publish the data publicly if payment is refused. They have been linked to numerous high-profile breaches across finance, technology, and healthcare sectors. In this campaign, they also allegedly targeted Harvard University and the University of Pennsylvania through the same Okta SSO exploitation method.

❓ What data was exposed in the Figure Technology breach?

TechCrunch reviewed a portion of the leaked files and confirmed they contained customers’ full names, home addresses, dates of birth, and phone numbers. Figure has not confirmed whether additional data types were included in the full 2.5GB published by ShinyHunters.

❓ How can I check if my Figure data was exposed?

Figure has stated it is notifying affected customers directly. If you are or were a Figure customer and have not received a notification, contact Figure’s customer support directly. You can also monitor breach notification services like HaveIBeenPwned.com which tracks publicly leaked datasets. Regardless of notification status, all Figure customers should take protective steps immediately.

Conclusion

The Figure Technology data breach is a clear reminder that no company — regardless of its valuation, blockchain credentials, or recent IPO — is immune to social engineering. By targeting a single employee rather than attacking Figure’s blockchain infrastructure directly, ShinyHunters bypassed every technical defence the company had built.

With 2.5GB of customer data now circulating on the dark web, the consequences for affected individuals could extend well beyond this initial disclosure. The information exposed — names, addresses, dates of birth, phone numbers — provides everything needed for identity fraud, targeted phishing, and voice impersonation scams that may emerge weeks or months from now.

As the investigation continues, the crypto and fintech sectors will be watching closely — both for accountability from Figure and for what this breach signals about security standards across an industry that is increasingly handling mainstream financial data at institutional scale.

This is a developing story. CryptoNewsBytes.com will update this article as new information becomes available.

⚠️ Note: This article is based on publicly reported information as of February 16, 2026. The forensic investigation into the Figure Technology data breach is ongoing and key details including the total number of affected customers have not been disclosed by the company.

🔐

CryptoNewsBytes Editorial Team

Crypto Security & Blockchain News · CryptoNewsBytes.com

CryptoNewsBytes covers Bitcoin, blockchain, crypto regulations, and cybersecurity incidents affecting the digital assets industry. For the latest updates visit CryptoNewsBytes.com →