Figure Technology 967,000 Accounts Breached via Voice Phishing

• .What: Voice phishing (vishing) attack targeting Okta SSO credentials via real-time MFA relay.
• .Who: Figure Technology Solutions, Inc. (NASDAQ: FIGR, $6.75B market cap) and subsidiaries Figure Lending LLC, Figure Markets Credit LLC, Figure Payments Corporation. 967,200 customer accounts affected.
• .How: Attacker impersonated IT support, directed employee to credential harvesting site mimicking Okta portal, captured SSO credentials and MFA codes in real time, enrolled attacker device via Okta FastPass, bulk-downloaded files from connected applications over ~90 minutes.
• .Data: Names, email addresses, phone numbers, physical addresses, dates of birth. Breach notifications also cite Social Security numbers, loan account numbers, and loan information.
• .Actor: ShinyHunters (Mandiant: UNC6040/UNC6240/UNC6661). Part of the Scattered LAPSUS$ Hunters (SLH) alliance. Data published after ransom refusal.
• .Impact: Class action filed (Mardikian v. Figure Lending LLC, W.D.N.C.); 5+ law firms investigating; state AG notifications in CA, MA, TX; 24 months credit monitoring offered.

Figure Technology Solutions is a blockchain-based fintech lender founded in 2018 by Mike Cagney (co-founder and former CEO of SoFi) and June Ou.

Headquartered in Reno, Nevada, the company operates America's largest non-bank home equity lending platform built on the Provenance Blockchain.

As of Q4 2025, Figure had facilitated $22 billion+ in home equity transactions across 253,000+ households, generated $2.7 billion in quarterly consumer loan marketplace volume (up 131% YoY), and reported adjusted EBITDA of $81 million.

The company went public on September 11, 2025, at $25 per share on Nasdaq (ticker: FIGR), raising $787.5 million and reaching a $7.62 billion first-day valuation. CEO Michael Tannenbaum leads the 458-employee company; Cagney serves as executive chairman.

On or around January 28, 2026, a ShinyHunters operator called a Figure employee by phone, impersonating IT support staff.

The caller claimed Figure was updating its multifactor authentication settings and directed the employee to a website designed to mimic Figure's legitimate Okta single sign-on portal. The employee entered their SSO credentials and MFA codes.

The attacker captured these in real time using a live phishing panel - a toolkit that allows operators to control which pages appear in the victim's browser, synchronized with the caller's script and whatever legitimate MFA challenges arise.

After capturing the credentials, the attacker enrolled their own device for persistent access using Okta FastPass on an emulated Android device (Genymobile, named "Passkey").

With authenticated access, the attacker triggered single sign-on into connected corporate applications and began bulk-downloading files. The exfiltration likely occurred over approximately 90 minutes with automated, rapid-fire sequential downloads.

Figure detected the unauthorized activity on January 28 and blocked access, but the attacker had already exfiltrated approximately 2.5 GB of compressed data.

ShinyHunters contacted Figure with a ransom demand (amount undisclosed). Figure refused to pay. On February 13 - the same day Figure released preliminary Q4 2025 financial results - ShinyHunters published the stolen data on their dark web extortion platform.

The leak included customer data files and screenshots of internal Slack conversations in which Figure management warned employees that attackers were contacting staff on personal and work phones, claiming to be IT needing to set up Okta.

The Slack messages explicitly told employees these were phishing attempts. ShinyHunters leaked these warnings as evidence of successful social engineering despite the company's awareness.

On February 18, security researcher Troy Hunt added the breach to Have I Been Pwned, identifying 967,200 unique email addresses. That same day, Figure priced an upsized secondary stock offering at $32 per share through Goldman Sachs, Morgan Stanley, and Cantor.

On February 24, Figure sent breach notification letters to affected individuals.

ShinyHunters is tracked by Google Threat Intelligence as UNC6040 (initial access/social engineering), UNC6240 (extortion), and UNC6661 (vishing operations).

In August 2025, ShinyHunters merged with Scattered Spider and LAPSUS$ to form the Scattered LAPSUS$ Hunters (SLH) - a loosely connected cybercrime ecosystem of primarily English-speaking operators in their teens and twenties.

The Figure breach was part of a massive 2026 vishing campaign targeting Okta SSO environments. Silent Push identified the infrastructure on January 26, 2026, documenting approximately 150 malicious domains mimicking SSO login portals.

Okta published an advisory on January 22. The campaign used a human-operated, real-time phishing panel intercepting MFA codes during live phone calls.

In February 2026 alone, ShinyHunters breached at least 15 organizations including Panera Bread (5.1 million accounts), SoundCloud (29.8 million), Betterment (1.4 million), Harvard, UPenn, Match Group, Canada Goose, and CarGurus (1.7 million).

Confirmed by HIBP and multiple sources: 967,200 unique email addresses, full names, phone numbers, physical home addresses, and dates of birth (2.5 GB total).

Confirmed by breach notification letters and law firm investigations: Social Security numbers, loan account numbers, and loan information.

The discrepancy between the publicly leaked dataset (which did not visibly include SSNs) and the broader notification scope suggests the attacker accessed files containing SSNs and loan data that were not included in the publicly published leak.

The affected individuals are homeowners who leveraged their property equity through Figure's lending platform - a demographic with verified assets, confirmed identities, and active financial relationships.

The combination of SSNs, home addresses, DOBs, and loan account numbers provides everything needed for full identity fraud or mortgage impersonation.

1. Human-layer compromise via vishing. The attack required no technical vulnerability. A single phone call defeated the entire authentication chain.

Figure had internal awareness - management had already issued Slack warnings - but awareness did not translate into controls that could prevent credential relay.

2. SMS/TOTP-based MFA defeated by real-time relay. MFA was deployed but was not phishing-resistant. The attacker operated a live phishing panel that intercepted MFA codes and replayed them in real time.

Only FIDO2/WebAuthn hardware security keys are immune to this class of attack.

3. Okta FastPass enrollment without additional verification. After initial authentication, the attacker enrolled a new device (emulated Android via Genymobile) for persistent Okta FastPass access. No step-up authentication or device trust verification was required.

4. Overly broad access from a single compromised account. The compromised employee account had access to production customer databases containing SSNs, loan records, and PII for 967,200 customers. No data access segmentation limited the blast radius.

5. Absence of real-time behavioral anomaly detection. The attacker bulk-downloaded 2.5 GB in approximately 90 minutes. While Figure detected the activity on the same day, the exfiltration was completed before access was revoked.

No automated DLP blocked the abnormal download volume in real time.

6. No out-of-band verification for sensitive operations. No callback verification procedure, no separate approval channel, and no mandatory challenge before an employee could grant access based on an unsolicited phone call.

• .CCPA/CPRA - SSN exposure triggers strictest requirements. $7,500 per intentional violation. Class action explicitly invokes CCPA. California AG notified.

• .Gramm-Leach-Bliley Act Safeguards Rule - Figure Lending is a consumer lending institution. The FTC Safeguards Rule requires comprehensive information security programs. A single vishing call yielding 967,200 SSNs and loan records raises questions about whether Figure's safeguards meet the "reasonable" standard.

• .FTC Act Section 5 - Unfair or deceptive practices if security promises were not met. Class action invokes this.

• .SEC Disclosure Rules - As a public company (NASDAQ: FIGR), Figure must disclose material cybersecurity incidents within four business days of determining materiality. The breach occurred January 28; public disclosure was February 13.

• .State Breach Notification Laws - SSN exposure triggers notification in all 50 states. Filed with California, Massachusetts (146 residents), and Texas (323 residents). 27-day detection-to-notification gap complies with most state requirements.

• .CFPB - As a consumer lending entity, Figure falls under CFPB supervisory authority for data security adequacy.

• .FINRA Regulation S-P - If Figure Lending holds broker-dealer registration for Provenance Blockchain securities activities, written policies to protect customer information are required.

1. Deploy phishing-resistant MFA (FIDO2/WebAuthn hardware security keys) for all employees with access to customer data or SSO-connected applications. Google eliminated account takeovers entirely after mandating hardware keys.

2. Implement out-of-band verification for all IT support interactions. Any unsolicited call requesting credentials should trigger a mandatory callback to a verified IT number.

3. Require step-up authentication and device trust verification for new device enrollment. Enrolling a new device for Okta FastPass should require a second administrator's approval or biometric re-authentication on a previously trusted device.

4. Segment data access by role with least-privilege enforcement. No single account should have uncontrolled access to 967,200 customer records including SSNs and loan data.

5. Deploy real-time DLP and UEBA with automated blocking. A 2.5 GB bulk download of customer PII over 90 minutes should trigger automated session termination, not just an alert.

6. Conduct vishing-specific tabletop exercises and simulated attacks. Standard email phishing training does not prepare employees for live voice social engineering.

TechCrunch, BleepingComputer, SecurityWeek, Cybernews, American Banker, Fox News, UpGuard, Halborn, CPO Magazine, ClassAction.org, TopClassActions, Strauss Borrelli PLLC, Schubert Jonckheer & Kolbe LLP, Massachusetts AG, California AG, GlobeNewsWire, Obsidian Security, CyberScoop, Silent Push, Google Cloud Blog (Mandiant), Have I Been Pwned