Figure Technology, a blockchain based lending firm, has confirmed it suffered a data breach after an employee was deceived in what the company described as a social engineering attack. In a statement issued Friday, spokesperson Alethea Jadick said the incident allowed hackers to access and steal a limited number of files. She added that the company is notifying affected individuals and partners, and is offering free credit monitoring services to those who receive official notice.
The company declined to provide detailed answers about the scope of the breach, including how many customers were affected or when the intrusion was first detected. However, hackers associated with the group ShinyHunters claimed responsibility on their dark web leak site, alleging that Figure refused to pay a ransom demand. The group subsequently published 2.5 gigabytes of what it said was stolen data.
A review of a portion of the leaked material by TechCrunch reportedly showed sensitive personal information, including customers’ full names, home addresses, dates of birth, and phone numbers. Such details raise concerns about potential identity theft and financial fraud, particularly given Figure’s role in lending and financial services.
A member of ShinyHunters told TechCrunch that Figure was targeted as part of a broader campaign aimed at organizations relying on the single sign on provider Okta. The same campaign is said to have affected institutions including Harvard University and University of Pennsylvania, suggesting a coordinated effort focused on exploiting authentication systems rather than isolated vulnerabilities within individual companies.