On February 18, 2026, a major data breach at Figure Technology Solutions — a U.S.-based fintech company specializing in blockchain-powered lending, home equity products, and tokenized financial marketplaces — was revealed, potentially affecting almost one million customer accounts. The incident underscores an ongoing trend of social engineering attacks targeting enterprise systems and highlights critical cybersecurity challenges in the financial services sector.

Incident Summary

According to investigative reporting and breach disclosures, threat actors gained unauthorized access to Figure’s internal systems by exploiting human vulnerabilities rather than a technical flaw. Specifically:

• The attacker used social engineering techniques to manipulate an employee into divulging access credentials, effectively bypassing internal authentication safeguards.
• Once inside, the threat actor exfiltrated a limited number of files containing sensitive customer information.
• Security monitoring and forensic investigations are ongoing, with Figure notifying affected users and offering identity protection resources to mitigate misuse of the stolen data.

The number of impacted accounts was quantified by the well-known breach monitoring service Have I Been Pwned, which indicated that about 967,200 accounts’ data may have been compromised. The exposed fields reportedly include full names, postal addresses, dates of birth, phone numbers, and email addresses — the type of personally identifiable information (PII) that can fuel phishing, vishing, identity theft, and account takeover campaigns.

Attribution and Data Leak

The hacker group claiming responsibility goes by the name ShinyHunters, a prolific threat actor associated with a number of high-profile data leaks in recent years. ShinyHunters reportedly published approximately 2.5 GB of data from the incident on dark web platforms after Figure declined to pay a ransom demand.

While not all breaches attributed to ShinyHunters are identical in technique or scope, many involve targeted social engineering and credential harvesting campaigns aimed at employees of cloud and enterprise service providers. In several recent cases, attackers compelled employees to disclose multifactor authentication (MFA) codes or to enter credentials into fake login portals, thereby subverting single-sign-on (SSO) services like Okta and gaining broader access.

Technical Analysis of Attack Vector

Social engineering remains one of the most effective mechanisms for initial compromise in financial and tech environments. Unlike software exploits that target specific code vulnerabilities, social engineering abuses human trust and procedural gaps:

1. Target Identification: Attackers identify employees with access privileges through OSINT (open-source intelligence) or reconnaissance on professional networks.
2. Pretexting: A convincing pretext — often impersonating IT support, a vendor, or a trusted internal service — is employed to lower the employee’s guard.
3. Credential Capture: Victims are tricked into revealing MFA codes, clicking malicious links, or submitting credentials to spoofed sign-in pages. Once captured, these credentials can be replayed to authenticate into the real environment.
4. Lateral Movement: With valid SSO access, attackers move beyond the initial account to pivot to backend systems, data repositories, and customer records.

This attack pattern highlights the limitations of password-centric defenses and the extent to which attackers now leverage real credentials obtained through manipulation rather than brute force or code exploits.

Implications for Fintech and Cybersecurity

Fintech firms occupy a unique risk profile: they manage highly sensitive financial and identity data across interconnected platforms, often relying on third-party services and cloud identity providers. This increases their attack surface and demands rigorous security controls, including:

• Zero Trust Architecture: Enforce least-privilege access and continuous authentication checks rather than one-time login events.
• Phishing Resistance Training: Regular simulation exercises and education can reduce susceptibility to advanced social engineering tactics.
• MFA Hardening: Stronger MFA mechanisms (e.g., hardware tokens) that cannot be easily phished or reused.
• Threat Hunting and Detection: Proactive monitoring to identify anomalous SSO sessions, new device logins, and suspicious API usage.

The breach at Figure follows a wave of similar incidents across the financial technology ecosystem, pointing to an emergent pattern wherein social engineering is the preferred vector for threat actors — often bypassing standard perimeter defenses.

Mitigation and User Recommendations

Customers and organizations affected by such breaches should consider:

• Enrolling in credit monitoring and identity theft protection services if offered by the breached provider.
• Monitoring financial statements and credit reports for unauthorized activity.
• Strengthening authentication on personal accounts (password managers, unique passwords across services).
• Being vigilant against phishing and vishing attempts that reference stolen data to build credibility.