Full Report
In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.
Analysis Summary
# Incident Report: Figure Fintech Social Engineering & Data Breach
## Executive Summary
In early 2026, the fintech lending platform Figure suffered a significant data breach resulting from a successful social engineering attack against an employee. The incident led to the exposure of personal identifiable information (PII) belonging to over 967,000 customers. The compromised data was subsequently leaked on public forums in February 2026, confirming the theft of names, dates of birth, and contact information.
## Incident Details
- **Discovery Date:** February 2026 (Public posting)
- **Incident Date:** January 2026
- **Affected Organization:** Figure (Fintech Lending Platform)
- **Sector:** Financial Technology / Lending
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** January 2026
- **Vector:** Social Engineering
- **Details:** An unauthorized actor contacted a Figure employee and utilized deceptive techniques to trick them into providing credentials or direct access to internal systems.
### Lateral Movement
- **Details:** Following initial access, the attacker pivoted from the compromised employee account to internal databases containing customer PII. Specific technical lateral movement techniques were not disclosed by the organization.
### Data Exfiltration/Impact
- **Details:** Data dating back to January 2026 was exfiltrated. The set included 967,247 unique records containing PII.
### Detection & Response
- **How it was discovered:** Detected following the public posting of the stolen data online and subsequent reporting by cybersecurity news outlets (e.g., TechCrunch).
- **Response actions taken:** Figure confirmed the breach, identified the compromised account, and attributed the attack to social engineering.
## Attack Methodology
- **Initial Access:** Social Engineering (Phishing or Vishing)
- **Persistence:** Not disclosed
- **Privilege Escalation:** Use of compromised employee credentials
- **Defense Evasion:** Use of legitimate employee access to bypass external security perimeters
- **Credential Access:** Obtained via social engineering
- **Discovery:** Internal database reconnaissance
- **Lateral Movement:** Not disclosed
- **Collection:** Automated gathering of customer records
- **Exfiltration:** Transfer of 900k+ records to external actor-controlled infrastructure
- **Impact:** Mass data exposure
## Impact Assessment
- **Financial:** Potential regulatory fines (CCPA/GDPR/SEC) and costs associated with credit monitoring for nearly 1M users.
- **Data Breach:** Exposure of 967,247 unique email addresses, names, phone numbers, physical addresses, and dates of birth.
- **Operational:** Diversion of security teams to remediation and forensic investigation.
- **Reputational:** High; public confirmation of a breach involving sensitive financial customer data.
## Indicators of Compromise
- **Network indicators:** None disclosed in the public record.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Unusual access patterns from a single employee account; bulk data export/querying of customer databases outside of normal business duties.
## Response Actions
- **Containment measures:** Revocation of the compromised employee's access.
- **Eradication steps:** Verification of system integrity and cleanup of any potential backdoors.
- **Recovery actions:** Notification to affected users and coordination with Have I Been Pwned (HIBP) for public disclosure.
## Lessons Learned
- **Human Factor:** Even robust technical perimeters can be bypassed if an employee is insufficiently trained to recognize sophisticated social engineering.
- **Data Centralization:** The ability to exfiltrate nearly one million records suggests a lack of "speed bumps" or alerts for bulk data exports.
## Recommendations
- **Security Awareness:** Implement mandatory, high-frequency social engineering and anti-phishing simulations for all staff.
- **Access Control:** Implement the Principle of Least Privilege (PoLP) to ensure individual employees cannot access or export the entire customer database without secondary authorization.
- **Monitoring:** Deploy User and Entity Behavior Analytics (UEBA) to automatically flag and block anomalous bulk data downloads.
- **Authentication:** Enforce hardware-based Multi-Factor Authentication (MFA), such as FIDO2 security keys, which are resistant to traditional social engineering/phishing.