You might think a company built entirely on the premise of blockchain security would be virtually impenetrable. After all, Figure Technology Solutions isn’t just a standard lender; they leverage the Provenance Blockchain to speed up Home Equity Lines of Credit (HELOCs). But as we learned on February 13, 2026, even the most sophisticated cryptographic ledgers can’t patch the oldest vulnerability in the book: human error.
Figure confirmed late last week that they had fallen victim to a data breach. The culprit wasn’t a complex zero-day exploit or a crack in the blockchain itself. Instead, it was a classic case of social engineering. The attackers bypassed the digital fortress by simply tricking an employee, proving once again that the “human firewall” is often the first to crumble.
Let’s break down how this happened, who is responsible, and why this specific attack vector is becoming a nightmare for the fintech world.
How did hackers bypass Figure’s security?
If you are looking for a story about broken encryption, this isn’t it. The breach at Figure was executed through social engineering, specifically targeting the company’s Single Sign-On (SSO) provider. According to research findings, the attack vector was likely Okta, a widely used identity management platform.
The attackers didn’t hack the software; they hacked the user. By compromising an employee account, they gained the keys to the kingdom. This technique is becoming alarmingly common because it bypasses the need for sophisticated coding skills. Why spend months looking for a software bug when you can just call an employee and convince them to hand over their login credentials? This method, often called “vishing” (voice phishing), allows attackers to skirt around multi-factor authentication protocols that usually stop automated attacks.
This incident isn’t isolated. It is reportedly part of a concurrent wave of cyberattacks in February 2026 targeting institutional SSO portals. Other major institutions, including Harvard University and the University of Pennsylvania, have faced similar targeted campaigns recently. It highlights a systemic risk: when you centralize identity management, you create a single point of failure that is highly attractive to social engineers.
What data was actually stolen?
This is where the story splits into two versions: the company line and the hacker’s claims. Figure spokesperson Alethea Jadick stated that the attackers downloaded only a “limited number of files” after breaking into the employee’s account. The company has maintained that the scope was contained.
However, the group claiming responsibility—ShinyHunters—tells a different story. After Figure reportedly refused to pay a ransom, the hacking group claimed they released approximately 2.5 GB of stolen data. According to these claims, the exfiltrated information is sensitive. It reportedly includes:
Customer names
Home addresses
Dates of birth
Phone numbers
While the company has not confirmed the full extent of the 2.5 GB claim, they are taking the situation seriously enough to offer free credit monitoring to affected users. For a company that trades publicly as NASDAQ: FIGR and prides itself on tech-forward efficiency, the discrepancy between “limited files” and a multi-gigabyte dump is a critical detail that investors are watching closely.
Who is ShinyHunters?
The name ShinyHunters should ring a bell if you follow cybersecurity news. This isn’t a new player. The cybercriminal group has a track record of high-profile attacks on massive entities like Ticketmaster and AT&T. Security analysts have noted a resurgence of the group in 2026, potentially collaborating with the ‘Scattered Spider’ collective.
Their modus operandi has shifted toward aggressive social engineering rather than relying solely on software exploits. They are known for targeting cloud storage and repositories, often demanding ransoms to prevent the leak of private data. In this case, Figure’s refusal to pay the ransom likely triggered the release of the data, a common retaliatory tactic used by the group to enforce their threats.
Why It Matters
This breach is a significant blow to the narrative that blockchain-adjacent companies are inherently more secure. While Figure’s underlying Provenance Blockchain technology wasn’t compromised, the market doesn’t always make that distinction; the reputational damage to a fintech firm is real and immediate. For the broader industry, this serves as a stark warning that third-party identity providers like Okta are becoming the primary battlefield. As long as attackers can bypass technical defenses by targeting human psychology, even the most advanced fintech infrastructure remains vulnerable.
![Illustration related to Figure Data Breach: ShinyHunters Attack Details [2026]](https://bytewire.press/wp-content/uploads/bytewire-images/2026/02/figure-fintech-data-breach-shinyhunters-okta-social-engineering-1cfc13161b.webp)
![Diagram related to Figure Data Breach: ShinyHunters Attack Details [2026]](https://bytewire.press/wp-content/uploads/bytewire-images/2026/02/figure-fintech-data-breach-shinyhunters-okta-social-engineering-80d579e37d.webp)
