Blockchain-based fintech Figure just disclosed a massive data breach affecting close to one million customers, marking one of the largest financial services security incidents of 2026. The attack, attributed to the notorious ShinyHunters hacking group, exposed names, dates of birth, physical addresses, phone numbers, and email addresses - a treasure trove for identity thieves. For a company that's raised over $1 billion and positions itself as a secure alternative to traditional finance, the breach raises serious questions about security infrastructure in the crypto lending space.
Figure, the San Francisco-based fintech that's built a blockchain lending empire worth over $3.2 billion, just became the latest high-profile victim of the cybercrime wave hitting financial services. The company disclosed that hackers infiltrated its systems and made off with personal information belonging to close to one million customers - a breach that security experts are calling one of 2026's most significant fintech incidents so far.
The stolen data includes customer names, dates of birth, physical addresses, phone numbers, and email addresses, according to breach notification documents. While Figure emphasized that financial account numbers, Social Security numbers, and loan details weren't compromised, the exposed information is exactly what identity thieves need to launch phishing campaigns, conduct social engineering attacks, or piece together fuller profiles from other breached databases.
Cybersecurity researchers have linked the attack to ShinyHunters, a prolific hacking collective that's been on a tear through major corporations. The group previously claimed responsibility for breaches at Microsoft, AT&T, and Ticketmaster, often selling stolen data on dark web marketplaces for cryptocurrency. Their involvement suggests this wasn't an opportunistic attack - ShinyHunters typically targets high-value companies with deep customer databases.
Figure's breach is particularly striking given the company's positioning. Founded in 2018 by former SoFi CEO Mike Cagney, Figure has marketed itself as a technology-forward alternative to traditional banks, using blockchain to streamline home equity loans, personal loans, and other financial products. The company processes billions in loan originations annually and counts major investors like Morgan Creek Digital and DST Global among its backers. Its blockchain infrastructure, built on the Provenance network, was supposed to offer enhanced security and transparency.
But that promise didn't stop the hackers. Figure acknowledged the breach in notifications sent to affected customers, stating the company "recently became aware of a cybersecurity incident involving unauthorized access to certain systems." The company said it's working with third-party cybersecurity forensics experts to investigate the full scope of the breach and has notified law enforcement.
The timing couldn't be worse for the broader fintech sector. Just last month, another major crypto lending platform suffered a similar attack, and regulators have been ramping up scrutiny of security practices at digital-first financial companies. The Consumer Financial Protection Bureau has made it clear that fintech firms face the same data protection obligations as traditional banks - and the penalties for failures can be severe.
For Figure's customers, the immediate risk is identity theft and targeted phishing. With names, addresses, and phone numbers in hand, scammers can craft convincing emails or calls claiming to be from Figure, attempting to extract additional sensitive information. Security experts recommend affected customers enable two-factor authentication on all financial accounts, monitor credit reports closely, and be extremely skeptical of any unsolicited communications.
The breach also exposes a broader vulnerability in the blockchain finance ecosystem. While distributed ledger technology offers benefits for transaction processing and record-keeping, it doesn't automatically protect the traditional databases and systems where companies store customer information. Figure's incident proves that even blockchain-native companies must maintain robust security across their entire technology stack.
Figure hasn't disclosed how the hackers gained access or how long they had access to its systems before detection. Those details matter - dwell time often determines the scope of damage in major breaches. The company also hasn't commented on whether it will offer credit monitoring services to affected customers, a standard practice after breaches of this magnitude.
What happens next will test Figure's crisis management and could reshape how regulators view security requirements for blockchain-based financial services. The company faces potential regulatory scrutiny from multiple agencies, possible class-action lawsuits from affected customers, and the reputational damage of admitting that nearly a million people's personal data ended up in criminal hands.
The Figure breach is a wake-up call for the entire fintech industry. As blockchain-based financial platforms scale to serve millions of customers, they're becoming prime targets for sophisticated hacking groups like ShinyHunters. The exposed personal data puts close to one million people at risk of identity theft and phishing attacks, while Figure faces a reckoning over its security practices. For an industry built on promises of enhanced security through blockchain technology, this incident reveals that fundamental cybersecurity hygiene matters just as much as innovative infrastructure. Customers should assume their data is already being exploited and take immediate protective measures, while regulators are likely to use this as ammunition for tougher security mandates across the fintech sector.
