Figure Technology Solutions, a U.S.-based fintech lending platform best known for digital home equity lines of credit, was breached in January 2026. Data from the platform was publicly posted online in February 2026, with breach-tracking services Have I Been Pwned and DataBreach.com indexing the dataset shortly afterward. Figure confirmed the incident and attributed it to a social-engineering attack in which an employee was tricked into providing access to internal systems.\n\nThe publicly circulating dataset covered approximately 967,000 unique customer records, with HIBP indexing roughly 900,000 unique email addresses. Compromised fields in the public subset included names, dates of birth, email addresses, phone numbers, and physical addresses. State-attorney-general filings, including those with California and Texas authorities, indicated that the underlying breach also exposed Social Security numbers and financial account information for some individuals, beyond the more limited field set published publicly. The threat actor ShinyHunters has been associated with the broader campaign.\n\nFor affected borrowers, the practical risk profile depends on which records were exposed. The publicly circulating subset of name, date of birth, address, and phone number is a strong base for targeted phishing and SIM-swap impersonation, particularly for messages that reference real loan or property relationships. The wider state-filing scope is materially more severe, with Social Security numbers and financial account information supporting fraudulent credit applications and identity-verification bypass at other financial institutions. Affected Figure customers should freeze credit at all three U.S. bureaus, monitor financial accounts closely, and treat any unsolicited contact referencing past loan applications, home equity products, or property records with caution.

Fintech lending platforms collect borrower identity, financial records, income and employment data, property or asset information, and account activity across loan-origination and servicing workflows.

Figure publicly disclosed the breach in late February 2026, after data first appeared online and was independently indexed by breach-tracking services. The company attributed the incident to a social-engineering attack in which an employee was tricked into providing access. State filings, including those with the California, Texas, and Maine attorneys general, indicated that some affected records also included Social Security numbers and financial account information beyond the publicly circulating subset. ShinyHunters has been associated with the underlying campaign, consistent with a broader 2025–2026 pattern of identity-based attacks against fintech and financial services firms by the same threat-actor cluster.