Fintech Giant Figure Hit by "ShinyHunters": 967k Accounts Leaked After SSO Vishing Attack
The "ShinyHunters" collective has claimed another major scalp in the fintech world. Figure Technology Solutions, the San Francisco-headquartered blockchain lending pioneer, is the latest victim of a sophisticated social engineering campaign that has resulted in the exposure of nearly one million customer records.
The breach, which was confirmed by Figure spokespeople earlier this week and added to the Have I Been Pwned (HIBP) database today, underscores a dangerous trend in 2026: threat actors aren't hacking through the firewall; they are talking their way through the front door.
The Attack Vector: "Live Phishing" and SSO Hijacking
According to security researchers and initial company statements, the breach originated from a vishing (voice phishing) attack. The threat actors, likely operating as part of the broader Scattered LAPSUS$ Hunters collective, contacted a Figure employee while impersonating IT support or an identity provider.
By directing the employee to a "victim-branded" credential harvesting site, the attackers were able to:
- Capture SSO Credentials: Intercept legitimate Single Sign-On logins in real-time.
- MFA Bypass: Use a Man-in-the-Middle (MitM) architecture to capture the Multi-Factor Authentication token, allowing the attackers to register their own device or hijack an active session.
- Lateral Movement: Once inside the SaaS perimeter, the group exfiltrated approximately 2.5 gigabytes of sensitive customer files.
The Damage: What Was Leaked?
While Figure has clarified that its core blockchain-based "Provenances" and sensitive financial account numbers remain secure, the leaked Personally Identifiable Information (PII) is extensive. The dataset shared on dark web forums includes:
- 967,200 unique email addresses
- Full names and physical home addresses
- Dates of birth
- Phone numbers
"This isn't a failure of blockchain security; it's a failure of identity management," noted an analyst in the Hacklido community. "If your MFA can be defeated by a phone call, it's not a security control, it's a speed bump."
Part of a Larger February Blitz
Figure is not an isolated target. This incident follows a string of high-profile leaks by ShinyHunters this month, including Harvard University, Canada Goose, and Crunchbase. All of these attacks share a common thread: the targeting of SaaS platforms and the exploitation of the "human element" within the identity stack.
Hacklido Analysis: The End of Push-Based MFA?
For the cybersecurity professionals at Hacklido, the Figure breach is a clear signal that Push-based MFA is no longer sufficient for high-value targets.
- Vishing Resilience: Attackers are becoming masters of "MFA Fatigue" and social manipulation.
- The Solution: This breach serves as a mandate for FIDO2/WebAuthn (Hardware Keys). Unlike SMS or Push codes, hardware keys are mathematically tied to the specific URL of the site, making the "victim-branded" proxy sites used by ShinyHunters effectively useless.
Advice for Affected Users
Figure is currently offering free credit monitoring to notified individuals. If you have an account with Figure, or if your data was part of the 967k records now circulating:
- Assume your phone number is burned: Expect an increase in targeted vishing and SMS phishing.
- Monitor "Change of Address" Alerts: With your DOB and physical address, attackers may attempt to redirect your mail or hijack other financial services.
Harden your SSO: If your personal email or financial apps use the same password or "easy" MFA, switch to a passkey-based system immediately.
