Nearly 1 million accounts were compromised in a data breach at Figure Technology Solutions, exposing sensitive personal information due to a social engineering attack.
In a significant data breach, hackers have exposed personal information from 967,200 accounts at Figure Technology Solutions, a blockchain-focused fintech lender. The compromised data includes names, addresses, email addresses, and dates of birth.
For those who have applied for a loan online, the reality of sharing personal information can be alarming. Your name, email, date of birth, and even your home address may now be circulating on dark web forums. This is the unfortunate situation for nearly 1 million individuals following the breach at Figure Technology Solutions, which was founded in 2018 and utilizes the Provenance blockchain for lending, borrowing, and securities trading.
Figure claims to have unlocked over $22 billion in home equity through partnerships with banks, credit unions, fintechs, and home improvement companies. However, behind the scenes, a different story unfolded as attackers executed a social engineering attack to gain access to sensitive data.
According to breach notification data shared by Have I Been Pwned, the leaked information includes more than 900,000 unique email addresses, along with names, phone numbers, physical addresses, and dates of birth. This trove of personal data presents a significant opportunity for identity thieves.
A spokesperson for Figure Technology Solutions explained that the breach resulted from an employee being socially engineered into providing access. “We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account,” the spokesperson stated. “We acted quickly to block the activity and retained a forensic firm to investigate what files were affected. We understand the importance of these matters and are communicating with partners and those impacted as appropriate. We are also implementing additional safeguards and training to further strengthen our defenses. We are offering complimentary credit monitoring to all individuals who receive a notice. We continuously monitor accounts and have strong safeguards in place to protect customers’ funds and accounts.”
While blockchain technology is often associated with security and invulnerability, this incident underscores that attackers can exploit human vulnerabilities rather than breaking through cryptographic defenses. Groups like ShinyHunters have been linked to this breach, reportedly claiming responsibility and posting 2.5GB of data tied to thousands of loan applicants on the dark web.
In recent weeks, ShinyHunters has also claimed responsibility for breaches involving other companies, including Canada Goose, Panera Bread, and SoundCloud. Although not every case is connected, security researchers have noted a concerning trend where attackers impersonate IT support, create urgency, and direct employees to fake login portals that closely resemble legitimate ones. Once employees enter their credentials, including multi-factor authentication codes, attackers can gain access to single sign-on systems linked to major platforms like Microsoft and Google. This can lead to a cascade of compromised accounts and internal systems.
The implications of the Figure data breach are significant. If your information was part of the breach, criminals now possess enough detail to craft convincing phishing emails or phone scams. They can reference your real name and address, potentially impersonating a lender or bank regarding your application.
Even if you have never applied for a loan with Figure, this incident highlights a broader issue: no platform is immune to human error. Social engineering works by targeting trust rather than technology. While Figure promotes itself as a blockchain-native company, the reality is that blockchain technology does not protect against well-crafted phone calls or social manipulation.
As financial services increasingly move online, the attack surface for potential breaches expands. Loan applications, identity verification tools, and cloud-based systems offer convenience but also create new vulnerabilities.
To protect yourself following the Figure data breach, it is essential to take proactive steps. While you cannot control how companies secure their systems, you can manage your response. Start by checking whether your email address appears in the exposed dataset. You can do this by visiting Have I Been Pwned and entering your email address to see if your information has been compromised.
Additionally, be cautious of unexpected calls regarding your accounts. If someone pressures you to act immediately, it is advisable to hang up and contact the company directly using a number from its official website.
The Figure data breach serves as a stark reminder that technology alone cannot safeguard sensitive information. A single employee tricked into revealing credentials can expose hundreds of thousands of individuals. This incident is not a failure of blockchain technology but rather a failure of trust.
If your data was involved in the breach, it is crucial to take action now. Even if it was not, this incident should serve as a wake-up call. Your personal information holds significant value, and criminals are aware of this. Companies must also recognize the importance of investing in employee training and security measures to prevent such breaches in the future.
As we navigate an increasingly digital landscape, the question remains: are companies doing enough to protect sensitive information, or are they relying too heavily on technology alone? This breach raises critical concerns about the adequacy of current security practices and the need for a more comprehensive approach to safeguarding personal data.
For further insights and updates on cybersecurity, visit CyberGuy.