Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
Figure Technology Solutions, a blockchain-based lending/fintech firm, confirmed a data breach after an employee was socially engineered, enabling attackers to access and exfiltrate a limited number of files. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering free credit monitoring to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected.
The cybercrime group ShinyHunters claimed responsibility and alleged Figure refused to pay a ransom, publishing about 2.5GB of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included names, home addresses, dates of birth, and phone numbers, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including Harvard University and UPenn, and referenced victims that rely on Okta for single sign-on.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ShinyHunters links Figure incident to broader Okta-focused campaign
A ShinyHunters member told TechCrunch that the Figure breach was part of a wider campaign targeting organizations whose customers use Okta single sign-on. The same claim cited Harvard University and the University of Pennsylvania as other victims.
Figure confirms breach and begins notifying affected individuals
Figure publicly confirmed the data breach after receiving media inquiries and said it was working with partners and impacted individuals. The company began notifying affected people and offered free credit monitoring to anyone who receives a breach notice.
ShinyHunters claims Figure breach and leaks 2.5GB of alleged data
The threat group ShinyHunters claimed responsibility for the Figure incident, said the company refused to pay a ransom, and posted about 2.5GB of purportedly stolen data on its dark web leak site. Samples reviewed by TechCrunch reportedly contained customer names, home addresses, dates of birth, and phone numbers.
Figure employee is socially engineered, leading to data theft
Figure Technology said attackers socially engineered or phished an employee, which allowed them to access and steal a limited number of files from the company. The company did not disclose when the intrusion was discovered or how many people were affected.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Figure Technology Solutions Data Breach via Social Engineering
**Figure Technology Solutions** suffered a data breach in which attackers obtained and later publicly posted customer data. Reporting indicates the exposed dataset (dating back to **January 2026**) included roughly **967,200 accounts** / **900k+ unique email addresses**, along with **names, phone numbers, physical addresses, and dates of birth**. Figure confirmed the incident and attributed initial access to **social engineering**, stating an employee was tricked into providing access and that attackers stole a “limited number of files.” The **ShinyHunters** extortion group claimed responsibility and listed Figure on its leak site, alleging the leak included about **2.5GB** of data tied to loan applicants. The breach’s scale was corroborated by *Have I Been Pwned*’s publication of the incident details, while broader coverage noted Figure had not proactively disclosed the incident publicly at the time of reporting and that additional details (e.g., full scope and notification posture) were still emerging.
Mar 21, 2026
ShinyHunters Leaks Donor and Alumni Data Stolen from Harvard and UPenn
**ShinyHunters** published datasets it claims were stolen during prior breaches at **Harvard University** and the **University of Pennsylvania (UPenn)**, posting what it says are **over one million records from each university** to its leak site used for extortion. Reporting indicates the exposed information relates to the schools’ development/alumni functions; TechCrunch said it verified portions of the data by corroborating details with alumni and public records (including matching against student ID numbers). Both universities attributed the intrusions to **social engineering** targeting staff supporting alumni and fundraising operations. UPenn previously confirmed unauthorized access to “a select group” of systems tied to development and alumni activities and said attackers also used official university email addresses to message alumni about the incident. Harvard reported its Alumni Affairs and Development environment was accessed following a **phone/voice-phishing** attack, and its incident FAQ described impacted data as including contact details (email, phone, home/business addresses), event attendance, donation details, and other biographical and fundraising-related information; public reporting noted uncertainty about whether affected individuals would receive individual notifications under applicable state requirements.
Mar 21, 2026
ShinyHunters Publishes Stolen Data From Bumble, Match Group, and Dozens of Firms
ShinyHunters has published a broad trove of allegedly stolen data affecting more than 40 organizations across retail, healthcare, hospitality, insurance, and consumer services, with reporting tying the leak campaign to victims including **Bumble**, **Match Group**, **Mytheresa**, **Zara**, **Carnival**, and **7-Eleven**. Researchers said the exposed material includes personally identifiable information, customer and transaction records, internal corporate files, and multi-terabyte datasets; one of the largest alleged exposures involved **Medtronic**, where roughly **9 million records** were reportedly listed before that entry was later removed from the leak site. The campaign reflects ShinyHunters' continued shift from ransomware-style encryption to **data theft and extortion**, with the group allegedly threatening to keep victim data available indefinitely on criminal platforms. Separate reports said the actors claimed to have stolen about **10 million records** from dating-app companies, while researchers also linked leaked **Bumble** data to the same operation after an earlier claim that roughly **30GB** had been taken from the company. The disclosures echo a wider criminal pattern in which stolen sensitive data is leaked to pressure victims after exfiltration, including in healthcare breaches such as the Change Healthcare incident.
Jun 7, 2026