Figure breach proves blockchain cannot save us from human error

Figure Technology Solutions, the blockchain-based lender that recently went public on the Nasdaq (FIGR), is facing a growing discrepancy between its official account of a recent security breach and the actual volume of data appearing online.

While Figure has characterized the incident as a "limited" compromise of internal files, a parse of the exfiltrated data reveals that the breach exposed the personal information of more than one million individuals. The dataset includes 1,004,503 dates of birth, 991,777 email addresses, and 941,184 physical street addresses.

The records also contain 925,588 phone numbers and 807,644 full names, effectively providing a toolkit for identity theft and sophisticated phishing campaigns.

The breach originated from a social engineering attack-a tactic where a hacker manipulates an employee into granting access to internal systems. Figure spokesperson Alethea Jadick stated that the company "found out that an employee was manipulated into giving access, which let someone download a limited number of files." Ms. Jadick noted that the company took immediate action to terminate the activity and hired a forensic firm to investigate.

However, the "limited" nature of the files mentioned by the company is difficult to reconcile with the scale of the leak. The hacking collective ShinyHunters claimed responsibility for the intrusion, alleging that they published 2.5 gigabytes of data after Figure declined to pay a ransom.

Cybersecurity researchers have linked the incident to a broader 2026 campaign targeting organizations that use Okta’s single sign-on (SSO) service. In these attacks, hackers often use "vishing"-voice phishing-to impersonate IT support and trick employees into revealing credentials or bypass multi-factor authentication.

The exposure is particularly notable given Figure’s position as a leader in financial technology. Founded by former SoFi CEO Mike Cagney, the firm has marketed its "Provenance" blockchain as a more secure, modern infrastructure for home equity lines of credit (HELOCs) and other lending products. The reality that over a million birth dates were compromised via a simple human-targeted scam highlights a persistent vulnerability: no matter how robust the underlying ledger, the human point of entry remains a significant risk.

Figure has begun notifying affected individuals and is offering free credit monitoring. Yet, for the million-plus people whose permanent identifiers like dates of birth and home addresses are now in the public domain, a year of monitoring may be an insufficient remedy for a breach that was anything but limited.