Executive Summary

Figure Technology Solutions, a prominent blockchain-based financial technology company, experienced a significant data breach in February 2026, resulting in the compromise of nearly 1 million user records. The breach was executed through a sophisticated social engineering attack, specifically a voice phishing (vishing) campaign, which enabled attackers to obtain an employee’s credentials and multi-factor authentication codes. This access allowed the threat actor, identified as ShinyHunters, to exfiltrate files containing personally identifiable information (PII) including names, email addresses, phone numbers, physical addresses, and dates of birth. The incident coincided with Figure’s secondary public stock offering, amplifying its potential impact. Figure has confirmed the breach, blocked the malicious activity, engaged a forensic firm, and is offering complimentary credit monitoring to affected individuals. The attack is part of a broader campaign targeting financial technology firms through social engineering and cloud account compromise, with no evidence of malware or technical vulnerability exploitation. All findings in this report are based on direct evidence from public disclosures and reputable threat intelligence sources.

Technical Information

The breach at Figure Technology Solutions was orchestrated through a targeted social engineering campaign, specifically leveraging vishing, a form of voice phishing. In this attack, the adversary impersonated IT support staff and contacted a Figure employee, convincing them to enter their credentials and multi-factor authentication (MFA) codes into a phishing website designed to mimic the company’s legitimate login portal. This enabled the attacker to compromise the employee’s Single Sign-On (SSO) account, which provided access to a range of connected enterprise applications and sensitive data repositories.

Once the attacker gained access, they downloaded files containing PII of approximately 967,200 users. The compromised data included names, email addresses, phone numbers, physical addresses, and dates of birth. The breach did not involve the deployment of malware or exploitation of software vulnerabilities; rather, it relied entirely on manipulating human trust and established authentication processes.

The threat actor responsible, ShinyHunters, is a well-known extortion group with a history of targeting cloud-based SaaS (Software-as-a-Service) environments. Their tactics, techniques, and procedures (TTPs) are consistent with previous incidents involving vishing, SSO credential harvesting, and large-scale data exfiltration. In this case, ShinyHunters publicly claimed responsibility, posted the stolen data on their leak site, and published screenshots of internal Figure communications to substantiate their claims.

Technical analysis of the attack chain reveals the following sequence: reconnaissance to identify and target employees, initial access via vishing and credential harvesting, use of compromised SSO credentials to access cloud applications, collection of sensitive files, and exfiltration of data to attacker-controlled infrastructure. The attack chain aligns with several MITRE ATT&CK techniques, including T1566 (Phishing), T1078.004 (Valid Accounts: Cloud Accounts), T1530 (Data from Cloud Storage Object), and T1567 (Exfiltration Over Web Service).

The breach is part of a broader campaign by ShinyHunters targeting over 100 high-profile organizations, particularly in the fintech sector. These campaigns often coincide with periods of heightened business activity, such as IPOs or stock offerings, to maximize the impact and extortion leverage. The Figure incident occurred during the company’s secondary public offering, underscoring the threat actor’s strategic timing.

No evidence has been found of malware deployment, lateral movement via technical exploits, or persistence mechanisms beyond the use of valid credentials. The attack demonstrates the effectiveness of social engineering in bypassing technical controls, especially in cloud-first organizations where SSO provides access to multiple critical systems.

The quality of evidence supporting these findings is high, with direct confirmation from Figure, public data leaks, and corroboration from multiple independent threat intelligence sources. Attribution to ShinyHunters is supported by their public claims, technical artifacts, and consistent TTPs observed in other recent breaches.

Affected Versions & Timeline

The breach affected user records dating back to January 2026. The compromised data set includes approximately 967,200 unique accounts. The timeline of the incident is as follows: the data was posted online by ShinyHunters on February 13, 2026; the breach was added to the Have I Been Pwned database on February 18, 2026; and public reporting by reputable sources occurred on the same day. The attack exploited the SSO environment used by Figure, but there is no evidence that specific software versions or technical vulnerabilities were targeted. The breach was enabled by social engineering rather than a flaw in Figure’s technology stack.

Threat Activity

ShinyHunters is a financially motivated threat actor group with a documented history of targeting cloud-based SaaS environments and fintech organizations. Their recent campaigns have focused on social engineering, particularly vishing, to compromise SSO accounts and access sensitive data. In the Figure breach, ShinyHunters impersonated IT staff, contacted employees by phone, and directed them to phishing sites to harvest credentials and MFA codes. Once access was obtained, the group exfiltrated files containing PII and published the data on their leak site for extortion and reputational damage.

The group’s tactics are characterized by careful timing, often coinciding with major business events such as IPOs or stock offerings. In addition to Figure, ShinyHunters has claimed responsibility for breaches at Betterment, Match Group, and other high-profile organizations. Their operations are notable for the absence of malware and the reliance on human manipulation to bypass security controls.

The Figure breach is part of a broader trend of threat actors targeting cloud-first organizations through social engineering and SSO compromise. The attack demonstrates the increasing sophistication of vishing campaigns and the challenges of defending against credential-based attacks in environments with extensive SaaS integration.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Organizations should implement robust anti-phishing and anti-vishing training for all employees, with a focus on recognizing and reporting suspicious phone calls and requests for credentials or MFA codes. Security awareness programs must be regularly updated to reflect the latest social engineering tactics used by groups like ShinyHunters.

Critical: Enforce strong authentication policies, including phishing-resistant multi-factor authentication (such as hardware security keys or app-based push notifications that cannot be easily relayed by attackers). Review and restrict the use of SMS or voice-based MFA, which are more susceptible to interception and social engineering.

High: Monitor for anomalous access patterns in SSO and cloud application logs, including unusual login locations, times, or device fingerprints. Implement automated alerting and rapid response procedures for suspected account compromise.

High: Limit the scope of access granted to individual accounts, applying the principle of least privilege to reduce the potential impact of a single compromised credential. Regularly review and update access permissions for all users, especially those with access to sensitive data repositories.

Medium: Conduct regular simulated phishing and vishing exercises to test employee readiness and reinforce security protocols. Use the results to identify areas for improvement in training and incident response.

Medium: Ensure that incident response plans specifically address social engineering scenarios, including clear procedures for reporting, containment, and forensic investigation of credential-based breaches.

Low: Communicate transparently with affected users and partners, providing timely notifications, guidance on credit monitoring, and steps to mitigate potential identity theft or fraud.

There is no evidence that technical vulnerabilities in software or infrastructure were exploited in this incident; therefore, patching or upgrading specific products is not directly relevant. The primary focus should be on strengthening human and process defenses against social engineering.

References

https://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-figure-affects-nearly-1-million-accounts/ https://www.americanbanker.com/news/data-breach-hits-1-million-figure-customers https://www.intel471.com/blog/shinyhunters-data-breach-mitre-attack https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and partners. Our platform enables continuous monitoring of supply chain security, supports rapid incident response, and delivers actionable insights into emerging threats, including social engineering and credential compromise campaigns. For questions or further information, please contact us at ops@rescana.com.