Fintech Firm Figure Technologies Breached by ShinyHunters; 1 Million Customer Records Leaked

Figure Technologies Confirms Data Breach After Employee Targeted in Phishing Attack, ShinyHunters Leaks 2.5GB of Customer Data

HIGH
February 15, 2026
February 21, 2026
5m read
Data BreachThreat ActorPhishing

Impact Scope

People Affected

967,000

Affected Companies

Figure Technology Solutions, Inc.

Industries Affected

FinanceTechnology

Geographic Impact

United States (national)

Related Entities(initial)

Threat Actors

ShinyHunters

Organizations

Okta

Other

Figure Technology Solutions, Inc. Woods Lonergan PLLC

MITRE ATT&CK Techniques

T1566Initial Access

Phishing

T1078Defense Evasion

Valid Accounts

T1048Exfiltration

Exfiltration Over Alternative Protocol

T1537Exfiltration

Transfer Data to Cloud Account

Full Report(when first published)

Executive Summary

On February 14, 2026, fintech firm Figure Technology Solutions, Inc. confirmed a significant data breach resulting from a targeted social engineering attack on an employee. The threat actor group ShinyHunters claimed responsibility, subsequently leaking a 2.5GB data trove on the dark web after the company reportedly refused to pay a ransom. The leaked data contains the personally identifiable information (PII) of approximately 967,000 customers, including full names, dates of birth, email addresses, physical addresses, and phone numbers. The incident highlights the effectiveness of social engineering as an initial access vector and underscores the severe consequences of a single credential compromise, particularly in organizations handling sensitive financial data.

Threat Overview

The attack began with a sophisticated social engineering campaign, likely voice phishing (vishing), targeting a Figure employee. The attackers successfully manipulated the employee into divulging their credentials, granting them unauthorized access to Figure's internal systems. This access was then used to navigate the network and exfiltrate sensitive customer data.

ShinyHunters, a well-known data extortion group, followed its typical modus operandi: exfiltrate data, demand a ransom, and leak the data if the demand is not met. By publishing the data on their leak site, they aim to maximize reputational damage to the victim and pressure future victims into paying. The leaked information is highly valuable for other malicious actors, who can use it to conduct identity theft, targeted phishing campaigns, and other fraudulent activities. Some researchers suggest this attack may be part of a wider campaign targeting users of the single sign-on provider Okta, although this connection is still under investigation.

Technical Analysis

The attack chain follows a common pattern seen in modern data breaches, leveraging human vulnerability before exploiting technical systems.

  1. Initial Access: The attackers used social engineering, as described in T1566 - Phishing. Given the context, this was likely a vishing attack (T1566.004) combined with smishing or email phishing to direct the employee to a malicious site.
  2. Credential Compromise: The employee's credentials were stolen, aligning with T1078 - Valid Accounts. This single point of failure allowed attackers to bypass perimeter defenses.
  3. Discovery & Lateral Movement: While not detailed, once inside, attackers would have performed discovery techniques to locate valuable data repositories. This likely involved techniques like T1087 - Account Discovery and T1082 - System Information Discovery.
  4. Exfiltration: The final stage was the theft of data, corresponding to T1048 - Exfiltration Over Alternative Protocol or T1567 - Exfiltration Over Web Service. The 2.5GB size suggests a compressed archive was exfiltrated over a common protocol like HTTPS to avoid detection.

This incident is a stark reminder that even with advanced blockchain technology, the human element remains the weakest link. The focus on "frictionless speed" mentioned by investigators often correlates with relaxed internal security controls that attackers are quick to exploit.

Impact Assessment

The business impact on Figure Technologies is multifaceted and severe. It includes immediate financial costs for incident response, legal fees, and providing credit monitoring services. The long-term impact involves significant reputational damage, loss of customer trust, and potential regulatory fines for failing to protect PII. The investigation by law firm Woods Lonergan PLLC indicates the potential for class-action lawsuits.

For the 967,000 affected customers, the impact is direct and personal. They face an elevated and long-term risk of:

  • Identity Theft: Criminals can use the leaked data to open new accounts, file fraudulent tax returns, or obtain loans.
  • Targeted Phishing: Armed with names, emails, and addresses, attackers can craft highly convincing phishing emails or calls to extract further sensitive information like passwords or financial details.
  • Social Engineering: The data can be used to impersonate individuals to their friends, family, or employers.

Cyber Observables for Detection

Security teams can hunt for similar activity by monitoring for:

Type Value Description
log_source VPN & SSO Logs Monitor for logins from unusual geolocations, multiple failed logins followed by a success, or logins outside of normal business hours. Correlate with MFA push notifications.
network_traffic_pattern Large data egress Alert on unusually large data transfers from internal servers to external, non-business-related IP addresses or cloud storage services.
event_id Windows Event ID 4625 Look for spikes in failed logon attempts (Event ID 4625) on internal systems, which could indicate attempts to use compromised credentials.
process_name rclone.exe, megasync.exe Monitor for the execution of common data transfer tools on endpoints and servers where they are not expected.
command_line_pattern 7z.exe a -p... Hunt for command-line activity related to compressing large directories into password-protected archives, a common precursor to exfiltration.

Detection & Response

Detection Strategies:

  1. User and Entity Behavior Analytics (UEBA): Implement UEBA solutions to baseline normal user activity. This can help detect when a compromised account is used in an anomalous way, such as accessing unusual files or logging in from a new location. This aligns with D3FEND's User Geolocation Logon Pattern Analysis (D3-UGLPA).
  2. MFA Anomaly Detection: Monitor for "MFA fatigue" or "push bombing" attacks, where an attacker who has a password spams the user with MFA requests hoping they will approve one by mistake. Correlate multiple MFA denial events with subsequent login attempts.
  3. Data Loss Prevention (DLP): Deploy DLP solutions that monitor and can block the exfiltration of data containing sensitive PII patterns. Configure rules to detect large volumes of customer data being moved to external destinations. This is a form of Outbound Traffic Filtering (D3-OTF).

Response Actions:

  • Immediately disable the compromised account.
  • Force a password reset for all users, especially those with privileged access.
  • Analyze firewall, VPN, and proxy logs to determine the scope of attacker activity and identify the exfiltration path.
  • Preserve all relevant logs and system images for forensic analysis.

Mitigation

Immediate Actions:

  1. Enforce Phishing-Resistant MFA: Upgrade from push-based MFA to more secure methods like FIDO2/WebAuthn. This is a critical step in mitigating credential theft.
  2. User Training: Conduct immediate, targeted training for all employees on identifying social engineering and vishing attacks. Use this incident as a real-world example.
  3. Review Access Controls: Audit and enforce the principle of least privilege. Ensure employees only have access to the data and systems absolutely necessary for their roles.

Strategic Improvements:

  • Network Segmentation: Implement network segmentation to prevent attackers from moving laterally from a less secure part of the network (like a user workstation) to critical data stores. This is a core principle of Network Isolation (D3-NI).
  • Assume Breach Mentality: Shift from a perimeter-focused defense to an "assume breach" model. This means investing more in detection and response capabilities inside the network.
  • Security Culture: Foster a security-first culture where employees feel empowered to question suspicious requests and report potential incidents without fear of blame.

Timeline of Events

1
February 14, 2026
Figure Technology Solutions confirms it sustained a data breach.
2
February 14, 2026
ShinyHunters claims responsibility and leaks 2.5GB of data.
3
February 15, 2026
This article was published

Article Updates

February 18, 2026

Breach confirmed by Have I Been Pwned, affecting 967,000 customers. Incident occurred during company's secondary stock offering.

Update Sources:
americanbanker.comData breach hits 1 million Figure customers
cyberscoop.comFigure data breach claimed by ShinyHunters, nearly 1 million affected

February 21, 2026

Public data leak confirmed on Feb 21, 2026; initial access vector for the breach is now reported as undisclosed.

Update Sources:
bpi.comBPInsights: February 21, 2026
cybermatters.infoFebruary 2026: Recent Cyber Attacks, Data Breaches, Ransomware Attacks

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Train users to recognize and report phishing and social engineering attempts.

Multi-factor Authentication

M1032enterprise

Implement phishing-resistant MFA (like FIDO2) to prevent credential abuse.

Filter Network Traffic

M1037enterprise

Implement strict egress filtering to block unauthorized data exfiltration to known malicious or personal cloud storage destinations.

Privileged Account Management

M1026enterprise

Enforce the principle of least privilege to limit the impact of a compromised account.

D3FEND Defensive Countermeasures

Multi-factor Authentication

D3-MFAMaps to MITREM1032
D3FEND

Given that this breach stemmed from a credential compromise, implementing robust MFA is the single most effective countermeasure. Organizations should prioritize the rollout of phishing-resistant MFA, such as FIDO2 security keys or device-bound biometrics, for all employees, especially those with access to sensitive systems or data. This moves beyond less secure methods like SMS or push notifications, which are vulnerable to interception and MFA fatigue attacks. For Figure, this would mean requiring a hardware token or biometric verification for any access to internal customer databases or administrative panels, rendering the stolen password useless to the attacker without physical access to the employee's second factor. This directly counters the initial access vector used by ShinyHunters.

Outbound Traffic Filtering

D3-OTFMaps to MITREM1031
D3FEND

To prevent a similar data leak, organizations must control and monitor outbound network traffic. This involves configuring egress filtering rules on perimeter firewalls to deny all traffic by default and only allow connections to known-good, business-required destinations on specific ports. For a company like Figure, this means blocking access to all personal cloud storage (e.g., Mega, Dropbox), file-sharing sites, and anonymous proxies. Furthermore, deep packet inspection (DPI) and Data Loss Prevention (DLP) systems should be deployed to analyze the content of allowed outbound traffic, looking for patterns matching customer PII. An alert should have been triggered when a 2.5GB compressed file containing customer data was uploaded to an external server, allowing security teams to intervene before the breach was complete.

User Behavior Analysis

D3-UBAMaps to MITREM1040
D3FEND

Deploying User Behavior Analysis (UBA) tools can detect when a compromised account behaves anomalously. After ShinyHunters gained access, the account would have performed actions outside its normal baseline, such as accessing a large customer database it doesn't usually touch, running data compression tools, or initiating a large data transfer. A UBA system would flag these deviations—such as 'access from a new geolocation,' 'unusual file access volume,' and 'first time running 7z.exe'—and generate a high-fidelity alert. This allows the security team to investigate and lock the account before significant data exfiltration occurs, acting as a critical internal safety net when perimeter defenses fail.

Sources & References(when first published)

Fintech firm Figure disclosed data breach after employee phishing attack
Security Affairs (securityaffairs.com) February 14, 2026
Cybersecurity News
UpGuard (upguard.com) February 15, 2026
List of Recent Data Breaches in 2026
BrightDefense (brightdefense.com) February 14, 2026
Figure Technology Data Breach Lawyer & Investigation | 1M Records
Woods Lonergan (woodslaw.com) February 15, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ShinyHuntersData BreachPhishingSocial EngineeringFintechPIICredential Compromise

📢 Share This Article

Help others stay informed about cybersecurity threats