Cybersecurity • Data Breach • Fintech
Figure Technology Leak (Feb 19, 2026): ShinyHunters Drops 2.4GB, Nearly 1 Million Records Exposed
A social-engineering breach at a blockchain-native lender becomes a public identity-risk event—fast. Here’s what we know, what’s likely in the dump, and what customers should do immediately.
TL;DR (Key Facts in 30 Seconds)
- What leaked: A 2.4GB (≈2.5GB) archive attributed to Figure Technology Solutions was posted after a breach the company linked to social engineering.
- Scale: Breach notification service Have I Been Pwned analyzed the dataset and found 967,200 unique email addresses in it.
- What data: Reports and HIBP describe names, dates of birth, physical addresses, phone numbers, and email addresses—high-value identity data.
- Why it matters: This combination is ideal for account takeover, SIM swaps, loan/credit fraud, and hyper-targeted phishing/vishing.
- What to do: Secure your email + lock your mobile number (port-out PIN), rotate passwords, enable app-based MFA, and treat inbound “verification” contacts as suspicious.
Sourcing: TechCrunch reporting on the incident and HIBP analysis, plus the HIBP breach entry and SecurityWeek coverage. TechCrunch (Feb 18) • HIBP breach entry • SecurityWeek (Feb 19)
What Happened on Feb 19: From Quiet Incident to Public Dump
The reason this story hit hard on February 19, 2026 is simple: it crossed the line from “security incident” into “public dataset.” Once a breach turns into a downloadable archive on leak channels, the risk profile changes. It’s no longer just about what an intruder accessed inside one company—it becomes about what thousands of criminals can now copy, search, enrich, and weaponize.
By Feb 19, reporting converged on a consistent narrative: the threat group ShinyHunters claimed it stole data from Figure Technology Solutions and published a roughly 2.4GB archive—nearly a million records worth of personally identifying information (PII). The company confirmed a breach and attributed the root cause to social engineering—an employee being tricked into granting access or losing control of credentials. (See: TechCrunch’s initial confirmation report and SecurityWeek’s Feb 19 coverage.)
Key Facts Box (For Fast Scanning)
- Organization
- Figure Technology Solutions (blockchain-based lending / fintech platform)
- Threat actor (claimed)
- ShinyHunters
- Leak size
- ~2.4GB (some reports cite ~2.5GB)
- Scale indicator
- 967,200 unique email addresses (HIBP analysis)
- Exposed fields (reported)
- Names, DOB, physical addresses, phone numbers, email addresses
- Root cause (company statement)
- Social engineering against an employee
- Customer risk
- Identity theft, targeted phishing/vishing, SIM swap, account takeover
What Data Was “Spilled”—and Why That Specific Combo Is High Risk
Headlines often flatten breaches into a single number—“nearly 1 million records”—but the real danger is the type of data exposed. Based on analysis and reporting, the leaked dataset includes: full names, dates of birth, physical addresses, phone numbers, and email addresses. This aligns with the breach entry published by Have I Been Pwned and reporting that cites what was found in the leak.
HIBP breach entry • TechCrunch (Feb 18) • SC World (Feb 19/20)
Why criminals love this dataset
If you’ve ever wondered why attackers bother with “boring” PII, this is why: identity data is a master key. A name + DOB + address + phone number forms a strong “identity package” that can be used to:
- Bypass weak verification: Many support flows still use partial identity checks (DOB, address) to “confirm” a caller.
- Run targeted phishing: A scam message that knows your address and DOB feels real—because it is.
- Attempt SIM swaps: With enough identity facts, criminals can pressure carriers into porting your number.
- Seed credit/loan fraud: Lenders and fintech apps are frequent targets for synthetic identity attempts.
About the “email address” confusion
Some early coverage suggested email addresses might not be present, while other reporting and HIBP analysis indicates they are. When reputable sources diverge, the safest stance for readers is practical: assume your email may be included if you used it with Figure, verify via a trusted breach-notification service, and harden your email account first.
Email addresses noted in HIBP and TechCrunch analysis: HIBP • TechCrunch (Feb 18)
How the Breach Started: Social Engineering Beats “Strong Tech”
Figure confirmed that the incident began with social engineering—an attacker tricked an employee, which ultimately allowed unauthorized access and data theft. That detail is not a footnote; it’s the modern breach pattern. Organizations can spend heavily on perimeter security, but if an attacker can compromise identity and access flows (SSO logins, MFA resets, internal file shares), they often don’t need a single advanced exploit.
TechCrunch (Feb 13) • Decrypt (Feb 14)
What “social engineering” likely looked like (in plain terms)
Companies rarely publish the full play-by-play during an active investigation, but social engineering typically succeeds through familiar moves: impersonating IT support, convincing an employee to approve an MFA prompt, harvesting credentials with a fake login page, or manipulating a reset flow. The takeaway isn’t to guess the exact method—it’s to recognize the weak point: human trust plus a permissive access path.
Why fintech is a prime target
Figure operates in lending/fintech, where onboarding and servicing require identity-heavy workflows. That means internal systems often contain dense PII by design. When a threat actor gets access to internal files, even a “limited number” can include exports or documents that represent huge exposure in customer terms.
What Customers Should Do Right Now (Step-by-Step, No Guesswork)
If you’re affected—or you simply want to reduce risk—this is the practical sequence that gives you the most protection per minute spent. Start with the accounts that can be used to reset everything else.
1) Verify exposure using a reputable checker
Use a reputable breach-notification service to check the email address you used with Figure. HIBP has a dedicated entry for the Figure breach describing exposed fields and timeframe.
2) Secure your email first (it’s the reset hub)
Change your email password to a unique, long passphrase. Enable app-based MFA (authenticator) or a hardware security key if available. Check your email settings for suspicious forwarding rules or filters—attackers often create “silent forwarding” so they can monitor your resets without you noticing.
3) Lock your mobile number against SIM swap
Ask your carrier for a port-out PIN or “number lock.” If an attacker can steal your number, they can intercept OTPs and take over accounts. This is especially important if you use SMS-based MFA anywhere.
4) Rotate passwords—especially where you reused them
Even if this breach doesn’t include passwords, attackers will use the leaked emails and identity context for credential-stuffing attempts. Any reused password is a liability. A password manager makes this dramatically easier.
5) Upgrade MFA: move away from SMS where possible
If you can choose MFA methods, prefer authenticator apps or hardware keys. SMS is better than nothing, but it’s vulnerable to number takeover attacks.
6) Watch for “verification” scams that use your real data
Expect messages that contain your correct name, address, or DOB. Your rule: never trust inbound identity checks. Hang up, open the official app/site yourself, and contact support using verified numbers.
For readers in the Philippines (quick reality check)
Credit freezes and bureau workflows are often U.S.-centric. If you’re based in the Philippines, prioritize what attackers can realistically exploit cross-border: email takeover, SIM swap/number port, e-wallet fraud, phishing/vishing, and account resets. Secure your email and phone number, then tighten security on your banks/e-wallets and treat any “KYC reconfirmation” messages as suspicious unless initiated by you through official channels.
The Scams Most Likely to Follow This Leak (And How to Beat Them)
Once PII is public, criminals move from “spray and pray” to “precision targeting.” Here are the most common follow-on attacks you should expect after a leak like this—and the exact counter-moves that work.
1) Vishing (voice phishing) using your identity facts
The caller will sound confident because they can recite your address or DOB. They’ll claim they’re “verifying” or “preventing fraud,” then push you to reveal a code, approve an MFA prompt, or click a link. Your defense is simple and effective: end the call and contact the company using the official website/app. Never complete identity verification for a caller who contacted you first.
2) SIM swap / number port-out attempts
If attackers can move your phone number to a SIM they control, they can intercept SMS OTPs and reset accounts. This is why carrier-level protections (port-out PIN, number lock) are not optional anymore.
3) “We detected suspicious activity” emails that look real
The message will include personal details to lower your guard. It will pressure urgency (“final notice,” “account will be locked”) and route you to a fake login page. Don’t click. Navigate to the service directly and sign in from your own bookmark or app.
4) Loan/credit fraud attempts
In lending-related breaches, criminals may attempt to open accounts using stolen identity facts. If you receive unexpected application notices or verification requests, treat them as high priority—even if you didn’t initiate anything.
Reporting repeatedly emphasized the exposed fields and the scale of records, which is what makes follow-on scams viable: TechCrunch (Feb 18) • TechRepublic
Why This Story Matters Beyond Figure: The “Identity Control Plane” Problem
This incident is not primarily a “blockchain problem.” It’s an identity and access problem. A blockchain-based company can still lose customer data the same way any SaaS-heavy business does: someone gets tricked, access expands, files are exfiltrated, and the breach becomes a public leak.
In many modern breaches, security fails at the “control plane”—the set of systems that manage who can access what: SSO, account recovery, MFA, helpdesk support, and shared document repositories. If a threat actor can compromise one identity with sufficient permissions, the technical complexity of the underlying platform almost doesn’t matter.
FAQ (Designed for Featured Snippets & AI Answers)
How many records were exposed in the Figure leak?
Reporting commonly describes the exposure as “nearly 1 million.” HIBP’s analysis found 967,200 unique email addresses in the dataset attributed to Figure, which is a strong indicator of scale.
What information was included in the leaked data?
Sources describe the exposed data as including names, dates of birth, physical addresses, phone numbers, and email addresses.
Were passwords or financial credentials leaked?
The widely cited descriptions of the dataset focus on identity data (PII). Public reporting about this incident has not centered on passwords as the primary exposed field. However, even without passwords, identity data can enable account takeover via resets, SIM swaps, and support-channel abuse.
How did the attackers get in?
Figure stated the breach originated from a social engineering attack in which an employee was tricked, enabling data access and theft.
How do I check if my email is included?
Use a reputable breach-notification service to search your email address. HIBP has a Figure breach entry you can reference.
What’s the single most important action I can take?
Secure your email account first (unique password + app-based MFA). Email is the reset hub for most services, and it’s the foundation of preventing account takeover.
Why is my phone number such a big deal in breaches like this?
Phone numbers can be used for SMS-based MFA and password resets. With enough identity facts, criminals may attempt to hijack your number via SIM swap or port-out, then intercept OTPs.
What should I watch for over the next few weeks?
Expect targeted phishing/vishing that uses your real details, unexpected verification prompts, carrier notifications about SIM changes, and alerts about account resets or new applications you didn’t initiate.
What to Watch Next (The Follow-Up Signals That Matter)
Breaches evolve. The first leak is often only the beginning. Here’s what typically happens next—and what’s worth tracking as a reader:
- Customer notification cadence: Who gets notices, and what details the notices confirm about affected data.
- Secondary dumps: Threat actors sometimes publish “part two” or repackage datasets across forums.
- Scam escalation: Vishing spikes and targeted phishing campaigns tend to rise after public breach coverage.
- Clarifications on exposed fields: Watch for reconciliations about whether emails were included, and whether any additional identifiers appear.
Sources (Primary & High-Quality References)
- Have I Been Pwned — “Figure” breach entry
- TechCrunch (Feb 13, 2026) — Figure confirms breach, social engineering
- TechCrunch (Feb 18, 2026) — HIBP analysis finds 967,200 unique emails
- SecurityWeek (Feb 19, 2026) — 2.4GB leak, nearly 1M records
- SC World — summary of breach scale and fields
- Decrypt — recap of Figure statement
- TechRepublic — contextual analysis of exposed identity profile