The blockchain-powered lending platform Figure Technology Solutions confirmed a devastating data breach on February 19, 2026, after the notorious ShinyHunters hacker group exploited a single employee through a social engineering attack. The incident compromised approximately 967,000 user records, exposing names, dates of birth, email addresses, postal addresses, and phone numbers. With Bitcoin trading at $66,957 and Ethereum at $1,948 on the day of disclosure, the breach underscores a troubling reality: even fintech firms built on blockchain foundations remain vulnerable to the oldest attack vector in the book — human manipulation.
The Exploit Mechanics
ShinyHunters gained access to Figure’s systems through a targeted voice phishing campaign that compromised a single sign-on (SSO) account. The group exploited Okta authentication infrastructure, a method they have been refining across multiple high-profile victims throughout early 2026. Once inside, the attackers moved laterally through Figure’s network, locating and exfiltrating sensitive customer data files. ShinyHunters subsequently published more than 2.4 GB of archive files on their Tor-based leak site, containing the stolen information. The breach was initially detected by the data breach notification service Have I Been Pwned, which analyzed the leaked data and identified the roughly 967,000 affected accounts. Figure confirmed to TechCrunch that an employee had fallen victim to the social engineering attack, and the attackers obtained a limited number of files.
Affected Systems
Figure Technology Solutions operates as a Nasdaq-listed fintech firm specializing in blockchain-based home equity lending and mortgage services. The breach affected the company’s customer database, which stores personally identifiable information for borrowers and lending platform users. The compromised data includes names, dates of birth, email addresses, physical addresses, and phone numbers — a comprehensive set of information that creates significant risk for identity theft and targeted phishing campaigns. Figure is one of several organizations targeted in the broader Okta campaign, which has also affected Betterment, Crunchbase, and Panera Bread. The scale of this coordinated campaign suggests that hundreds of organizations may have been compromised through similar authentication bypass techniques. For cryptocurrency users who leverage fintech platforms for blockchain-based lending, this breach is particularly concerning because the exposed information can be used to craft convincing follow-up attacks targeting crypto wallets and exchange accounts.
The Mitigation Strategy
Organizations relying on SSO providers must implement additional layers of authentication beyond standard multi-factor authentication. Voice phishing attacks have become sophisticated enough to bypass traditional MFA prompts, making hardware security keys and phishing-resistant authentication methods essential. For crypto-adjacent fintech platforms, the mitigation approach should include mandatory hardware-based MFA for all employees with access to customer data, enhanced monitoring for unusual data access patterns following SSO authentication, regular social engineering awareness training with simulated voice phishing exercises, network segmentation that limits lateral movement even after authentication compromise, and data loss prevention tools that flag bulk data exfiltration attempts. Figure and other affected companies should also notify affected users promptly and provide credit monitoring and identity theft protection services.
Lessons Learned
The Figure breach demonstrates that blockchain infrastructure does not automatically translate to enhanced security for user data. While the lending platform leverages distributed ledger technology for its core operations, customer data storage and authentication still rely on centralized systems that present attractive targets for attackers. The key lesson is that the human element remains the weakest link in any security chain, regardless of the underlying technology stack. Organizations in the crypto and fintech space must recognize that their users face compounding risks. A data breach at a lending platform can provide attackers with the personal information needed to subsequently target those same users’ cryptocurrency holdings through social engineering attacks, SIM swaps, or account recovery exploitation.
User Action Required
If you have ever used Figure Technology Solutions or any blockchain-based lending platform, take immediate action. Change passwords on your Figure account and any other platforms where you use the same credentials. Enable hardware-based two-factor authentication wherever possible. Monitor your credit reports for unauthorized inquiries or new accounts. Be suspicious of any emails, calls, or messages referencing your Figure account or requesting verification of personal details. For cryptocurrency holders, consider moving assets to hardware wallets if your personal information has been exposed in any breach, as attackers increasingly cross-reference data from multiple incidents to build comprehensive profiles for targeted attacks.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for guidance specific to your situation.
967,000 records from a single voice phishing attack on one employee. thats all it took. no zero day, no sophisticated exploit, just a phone call
okta SSO being the vector again. shinyhunters have been running the same okta playbook all year and companies still arent enforcing hardware MFA
this is the third shinyhunters breach via okta SSO this quarter. at what point do we admit okta is the problem not the solution
one phone call. no exploit kit, no zero day, no brute force. social engineering remains undefeated because humans are always the weakest link
one phone call and 967k records gone. okta needs to make hardware mfa mandatory not optional. how many breaches before they change defaults
sms_is_dead hardware mfa should be the default not an opt-in toggle buried in settings. okta learned nothing from the 2022 breaches
okta has had 4 breach incidents via SSO this year alone. the problem is not opt-in MFA, it is that okta architecture is fundamentally too centralized for the threat landscape in 2026
okta sso being the vector again. shinyhunters have been running the same playbook against okta all year and companies still arent enforcing hardware mfa
shinyhunters publishing 2.4GB on their tor site within days of the breach. these groups move faster than most corporate incident response teams
2.4GB published before most companies even finish their initial assessment. the speed gap between attackers and defenders keeps widening
one employee with SSO access and no hardware key. 967k records later and okta still charges enterprise prices for baseline security
blockchain company getting breached via voice phishing is peak irony. your whole value prop is trustless systems and one phone call takes down a million records