Data breach exposes nearly 1 million accounts

If you applied for a loan online, you probably shared more than you thought. Your name. Your email. Your date of birth. Maybe even your home address and phone number. Now imagine all that sitting on a dark web forum.

That’s the reality for nearly 1 million people after hackers breached Figure Technology Solutions, a blockchain-focused fintech lender.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

What happened in the Figure data breach?

Founded in 2018, Figure Technology Solutions uses the Provenance blockchain to provide loans, borrowing, and trade securities. The company says it has unlocked more than $22 billion in home equity through partnerships with banks, credit unions, fintechs and home improvement companies. Behind the scenes, however, the attackers were working from a very different angle.

GOOGLE DROPPED DARK WEB MONITORING: SHOULD YOU CARE?

According to breach notification data shared by Have I Been Pwned, information from 967,200 accounts was exposed. The leaked data included more than 900,000 unique email addresses along with names, phone numbers, physical addresses and dates of birth. That’s a gold mine for identity thieves. The figure says that the incident was due to a social engineering attack. What that means in simple terms is that someone within the company was tricked into handing over access.

“We recently identified that an employee was socially engineered and that allowed an actor to download a limited number of files through their account,” a Figure Technology Solutions spokesperson told CyberGuy in a statement. “We acted quickly to block the activity and hired a forensic firm to investigate which files were affected. We understand the importance of these matters and are communicating with partners and those affected as appropriate. We are also implementing additional safeguards and training to further strengthen our defenses. We offer free credit monitoring to everyone who receives a notice. We continually monitor accounts and have strong safeguards in place to protect customer funds and accounts.”

Social engineering is the real weapon

When people hear the word blockchain, they think of security and untouchability. But the attackers did not breach the cryptography. They targeted a human being. Groups like ShinyHunters specialize in this manual. They reportedly claimed responsibility for the breach and, according to BleepingComputer, published 2.5 GB of data allegedly linked to thousands of loan applicants.

In recent weeks, the same group has reported violations involving companies such as Canada Goose, Panera Bread and sound cloud. Not all cases are related. Still, security researchers have observed a worrying pattern. Attackers pose as IT support. They call the employees. They create urgency. They then direct victims to fake login portals that look almost identical to the real ones.

Once employees enter their credentials and even multi-factor authentication codes, attackers gain access to single sign-on systems linked to major platforms like Microsoft and Google. From there, a compromised account can unlock a network of connected internal tools and systems.

PANERA BREAD DATA BREACH EXPOSES 5.1M CUSTOMERS

Why does this matter to you?

If your information was part of the Figure data breach, criminals now have enough details to craft convincing phishing emails or phone scams. They can refer to your real name. They can quote your address. They may pose as a lender or bank and call about your application.

Even if you never applied for a loan with Figure, this incident highlights something bigger. No platform is immune to human error. And social engineering works because it targets trust, not technology.

The most important lesson about blockchain and trust

Figure is marketed as blockchain native. Blockchain can provide transparency and strong cryptographic security. However, none of that protects against a well-designed phone call.

You can’t control how companies protect their systems. You can control how you respond. Start by checking if your email address appears in the exposed data set, then follow the steps below to lock your accounts.

SUBSTACK DATA BREACH EXPOSES EMAILS AND PHONE NUMBERS

Check if your email was exposed

To see if your email address was affected, visit https://haveibeenpwned.com/. Enter your email address to see if your information appears in the leak. When you’re done, come back here and start Step 1 below.

Take these steps immediately

1. Change exposed passwords immediately. Don’t leave a leaked known password in place. Update it everywhere you’ve used it. Use a password manager to create strong, unique passwords for each account. Check out the best expert-reviewed password managers of 2026 at Cyberguy.com
2. Light multi-factor authentication whenever possible.
3. Never share login codes with anyone, even if they claim to be IT support.
4. Install powerful antivirus software to help block phishing links, malicious downloads, and ransomware that often follow major breaches. Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
5. Consider a data removal service to reduce your personal information on data broker sites, which scammers often combine with compromised data. Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
6. Place a free fraud alert or credit freeze with the main credit agencies.
7. Monitor your bank and credit card statements weekly for suspicious activity.

Also, be wary of unexpected calls about your bills. If someone pressures you to act immediately, hang up and call the company directly at a number on their official website.

Kurt’s Key Takeaways

The Figure data breach is a reminder that technology alone cannot protect sensitive information. A single employee tricked into revealing their credentials can expose hundreds of thousands of people. That’s not a blockchain failure. It is a failure of trust. If your data was involved, take action now. Even if it doesn’t, treat this as a wake-up call. Your personal information has value. Criminals know it. Companies should know this too.

If one phone call can unlock almost a million records, are companies investing enough in training people or are they still going all-in on technology alone? Let us know by writing to us at Cyberguy.com

CLICK HERE TO DOWNLOAD THE News APP

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2026 CyberGuy.com. All rights reserved.