Last updated 1 month ago
In February 2026, data from the fintech lending platform Figure was publicly posted online. The exposed dataset contained over 967,000 unique records, primarily consisting of customer email addresses, names, phone numbers, physical addresses, and dates of birth. The data originated from January 2026, indicating a relatively short time between collection and exposure.
The breach resulted from a social engineering attack where a Figure employee was tricked into providing system access. This initial access vector enabled the threat actor to obtain the customer dataset, which included highly sensitive personally identifiable information such as full dates of birth and physical addresses. The combination of these data elements significantly increases the risk of identity theft and targeted phishing campaigns against affected individuals.
Figure confirmed the incident and attributed it directly to the social engineering attack. The company has not disclosed specific containment measures, regulatory notifications, or litigation details at this stage of the public disclosure.
An employee was tricked into providing access via a social engineering attack.
This breach demonstrates the critical vulnerability of financial technology platforms to social engineering, even with robust technical controls. The compromise of an employee credential highlights the need for continuous, role-specific security awareness training focused on modern social engineering tactics. The exposure of highly sensitive PII like dates of birth and physical addresses underscores the requirement for strict data access controls and monitoring of employee access to sensitive customer datasets.
Sign in to join the discussion.
Company
Industry
Location
Disclosed
Records Affected
Attack Vector