Public Blockchain Lender Figure Discloses Customer Data Breach After Social Engineering Attack
Figure Technologies, the blockchain-based lending firm that recently went public, has confirmed that a cybersecurity incident exposed customer data after one of its employees fell victim to a social engineering attack.
The breach has been claimed by the hacking group known as ShinyHunters, which says it obtained and released roughly 2.5 gigabytes of data taken from the company’s systems. According to the group, Figure declined to pay a ransom demand, prompting the hackers to publish the stolen information online.
An initial review of some of the compromised files reportedly shows that the dataset includes sensitive personal details such as customers’ full names, residential addresses, dates of birth, and phone numbers. These kinds of data points, while not always including financial details, can be highly valuable for identity theft, targeted phishing, and other forms of fraud.
In a statement shared with media, Figure acknowledged that the incident stemmed from a successful social engineering scheme targeting one of its staff members. “We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account,” the company said. Figure added that it “acted quickly to block the activity and retained a forensic firm to investigate what files were affected.”
Social engineering attacks exploit human behavior rather than technical vulnerabilities. Instead of directly hacking systems, attackers impersonate trusted parties, craft convincing messages, or create fake login pages to trick employees into revealing credentials, approving unauthorized requests, or granting access. Once a single account is compromised—especially one with elevated or poorly restricted permissions—an attacker can move quickly to access and exfiltrate data.
Figure has not publicly detailed exactly how the employee was deceived, nor has it specified how many customers were affected or whether any financial account information, Social Security numbers, or government ID data were accessed. The company’s description of “a limited number of files” suggests it is attempting to contain the scope of the breach, but the actual impact will depend on what those files contained and how widely the leaked data is now being circulated.
The involvement of ShinyHunters raises the stakes. The group has a track record of breaching companies, stealing large datasets, and then attempting to monetize them through extortion or sale. When targets refuse to pay a ransom—as Figure is alleged to have done—data often ends up posted on underground forums or leaked more broadly, making it difficult or impossible to fully contain the damage once it is in the wild.
For affected customers, the immediate risk is not necessarily direct access to bank balances, but rather the downstream misuse of personal information. A combination of name, address, birth date, and phone number can be enough for criminals to attempt SIM-swapping, open accounts in someone else’s name, or construct highly tailored phishing messages that appear legitimate. Over time, this can translate into financial fraud, credit score damage, or account takeovers at other institutions.
Incidents like this also underscore the particular tension facing fintech and blockchain companies that position themselves as technologically advanced and secure. Figure operates in a sector that emphasizes transparency, automation, and immutable records, yet the weak point in this case was a familiar one: an individual employee tricked into enabling unauthorized access. No matter how cutting-edge the underlying infrastructure, security often depends on day-to-day practices, training, and internal controls.
Regulators and investors are likely to pay attention to how Figure responds. As a publicly traded company handling financial services, it may face questions about its internal security policies, its oversight of employee access, and its incident response procedures. Independent forensic investigations, customer notifications, and potential regulatory reporting obligations will all shape how the fallout is managed in the coming weeks.
From a security perspective, the incident highlights several recurring lessons for organizations of all sizes:
– Employee accounts must be protected with strong authentication, ideally including phishing-resistant multi-factor authentication.
– Access should be governed by the principle of least privilege—employees should only be able to download or view the specific data they need to do their job.
– Continuous monitoring and anomaly detection can help flag unusual data downloads or logins from unexpected locations or devices.
– Regular, scenario-based training should prepare staff to recognize and report suspicious messages, unusual login prompts, or urgent requests that pressure them into bypassing normal procedures.
Customers who suspect they might be affected would be well advised to monitor their financial accounts, review their credit reports for unusual activity, and be cautious about unsolicited emails, text messages, or calls referencing their personal details. Even if payment card numbers were not leaked, personal profile data can fuel fraud attempts months or even years after an initial breach.
For the broader crypto and fintech ecosystem, Figure’s breach is another reminder that reputational risk now closely tracks cybersecurity performance. Trust is central to any lending or financial platform, and each high-profile data incident raises user expectations for transparency about what happened, how it is being fixed, and what concrete measures are being taken to prevent a repeat scenario.
As the forensic review continues, the key questions will be how many customers are ultimately affected, whether more sensitive identifiers were included among the stolen files, and what long-term security upgrades Figure implements in response. The incident reinforces a hard reality for digital finance: sophisticated technology cannot fully compensate for the enduring vulnerability of the human element—making social engineering one of the most persistent and dangerous threats in the sector.