Social Engineering Breaches Exposed Customer Data at Figure and Allianz Life
Figure and Allianz Life disclosed separate breaches in which attackers used social engineering to gain access to systems holding large volumes of customer data. Figure said an employee was deceived into granting access, leading to the public posting of a dataset from January 2026 that contained more than 900,000 unique email addresses as well as names, phone numbers, physical addresses, and dates of birth.
Allianz Life reported that a cyberattack in July 2025 targeted data stored on Salesforce and was later followed by the online leak of 1.1 million unique email addresses. The exposed Allianz Life records also included names, genders, dates of birth, phone numbers, and physical addresses, underscoring how social engineering attacks continue to drive large-scale exposure of sensitive personal information across financial services firms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Millions of Allianz Life records are later leaked online
After the July 2025 intrusion, millions of Allianz Life records were leaked online. The exposed data included 1.1 million unique email addresses as well as names, genders, dates of birth, phone numbers, and physical addresses.
Figure confirms breach and attributes it to employee social engineering
Figure confirmed the incident and said it resulted from a social engineering attack in which an employee was deceived into granting access. This confirmation accompanied public reporting of the exposed dataset.
Figure breach data is publicly posted online
In February 2026, data from the fintech lending platform Figure was publicly posted online. The exposed dataset included names, phone numbers, physical addresses, dates of birth, and more than 900,000 unique email addresses.
Figure data from January 2026 is exposed after employee social engineering
In January 2026, attackers obtained access to Figure data after deceiving an employee through a social engineering attack. The compromised data included personal information later described as affecting more than 900,000 unique email addresses.
Allianz Life suffers social engineering cyberattack targeting Salesforce data
In July 2025, Allianz Life said it was hit by a cyberattack involving a social engineering technique. The intrusion targeted data stored on Salesforce systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Figure Technology Solutions Data Breach via Social Engineering
**Figure Technology Solutions** suffered a data breach in which attackers obtained and later publicly posted customer data. Reporting indicates the exposed dataset (dating back to **January 2026**) included roughly **967,200 accounts** / **900k+ unique email addresses**, along with **names, phone numbers, physical addresses, and dates of birth**. Figure confirmed the incident and attributed initial access to **social engineering**, stating an employee was tricked into providing access and that attackers stole a “limited number of files.” The **ShinyHunters** extortion group claimed responsibility and listed Figure on its leak site, alleging the leak included about **2.5GB** of data tied to loan applicants. The breach’s scale was corroborated by *Have I Been Pwned*’s publication of the incident details, while broader coverage noted Figure had not proactively disclosed the incident publicly at the time of reporting and that additional details (e.g., full scope and notification posture) were still emerging.
Mar 21, 2026
Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
**Figure Technology Solutions**, a blockchain-based lending/fintech firm, confirmed a **data breach** after an employee was **socially engineered**, enabling attackers to access and exfiltrate a **limited number of files**. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering **free credit monitoring** to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected. The cybercrime group **ShinyHunters** claimed responsibility and alleged Figure refused to pay a ransom, publishing about **2.5GB** of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included **names, home addresses, dates of birth, and phone numbers**, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including **Harvard University** and **UPenn**, and referenced victims that rely on **Okta** for single sign-on.
Mar 21, 2026
Betterment Social-Engineering Breach Exposes 1.4 Million Customer Records
**Betterment** disclosed that a **social engineering** attack against a **third-party platform account** used for customer communications enabled unauthorized access to internal systems in early January, leading to the exposure of personal data tied to **1,435,174 accounts**. The intruder used the access to send **fraudulent crypto-themed promotional messages** impersonating Betterment and promising to “triple” cryptocurrency sent to attacker-controlled wallets (including **Bitcoin and Ethereum** addresses). Betterment said it revoked the unauthorized access the same day it was detected, warned customers to ignore the messages, and initiated a forensic investigation with external incident-response support. Breach analysis and indexing by **Have I Been Pwned** indicated the exposed dataset included **email addresses, names, and location data**, with reporting also citing additional PII such as **dates of birth, physical addresses, phone numbers, device information, and employment-related details**. Betterment stated there is **no evidence** that customer investment accounts were accessed or that **passwords/authentication tokens** were compromised, characterizing the incident as an exposure of contact/identity data rather than account credentials. Separate reporting noted Betterment also experienced **intermittent outages attributed to a DDoS attack and extortion attempts** around the same period, but this was described as distinct from the social-engineering-driven data exposure.
Mar 21, 2026