Vishing and fraud with SSO expose almost a million users of Figure Technology Solutions

A massive leak has exposed the personal data of almost a million users following an attack directed at the systems of Figure Technology Solutions, a fintech company that operates on lockchain and is described as native to that technology. Although the company did not initially publish an extensive communiqué, news sources and data leakage reporting services have been reconstructing the scope of the incident.

Figure, founded in 2018 and known for using the block chain Provenance in loan products, investments and securitisation, has worked with more than 250 partners - between banks, credit cooperatives and other finance - and claims to have provided more than $22 billion in liquidity on housing value. You can consult more about the company on its official website figure.com and on the major book technology they use in provenance.io.

According to media that contacted the company, Figure attributed what happened to a social engineering attack in which an employee was deceived to provide access. The portal TechCrunch reported on the company's initial confirmation, and the Have I Been Pwned Filter Notification Service published specific data that help to size the incident: 967,200 affected accounts, with single mail addresses, names, phone numbers, physical addresses and birth dates, corresponding to information dating from January 2026. You can check the gap log on Have I Been Pwned in habebeenpwned.com / Breach / Figure.

The group known as ShinyHunters awarded the action and posted on its site on the dark network what it says is a 2.5 GB overturn from thousands of loan applicants. Groups like this often exploit stolen information for extortion, file sale or more targeted suplanting campaigns. Several media have reported and tracked their activity in recent months; among the companies that have been affected, according to the group's claims, are high profile brands in different sectors.

This case fits into a worrying trend that has seen attackers combine social engineering phone calls - the so-called "vishing" modality - with suplanting pages that mimic corporate access portals to capture credentials and multifactor authentication codes. A recent analysis of this technique shows attacks on single-login accounts (SSO) in suppliers such as Okta, Microsoft and Google, used as a lever to then enter other connected business applications. A good review of this campaign and its technical characteristics is found in the report of SilentPush which documents how it was supplanted to technical support to persuade employees to deliver credentials and MFA codes.

Once attackers take control of an SSO, they can move laterally to access critical services of a company: corporate mail, sales systems, document repositories, customer service platforms and others. Such access facilitates from financial fraud to intellectual property theft and suplanting campaigns that take advantage of trust between employees and customers.

What can people and businesses do right now? First, any user who believes it could be affected should check if his or her email address has appeared in the leak through services like Have I Been Pwned and follow the recommendations indicated there. It is recommended to change passwords in services where the same credential is reused, to privilege long and unique passwords and to activate more phishing-resistant authentication methods: FIDO-based security keys (hardware) are the most robust option in the face of social engineering code theft - you can report on this technology on the page of the FIDO Alliance.

It is also appropriate to review unusual movements in bank accounts and cards, prepare alerts with financial institutions and consider freezing the credit report if it is in the US. For victims of identity theft, the official US government portal offers concrete steps in identitytheft.gov. At the level of general good use, the United States Agency for Cyber Security and Infrastructure (CISA) maintains practical recommendations to protect against phishing and social engineering variants in your phishing guide.

For organizations, the lesson goes beyond the immediate patch: it is key to strengthen access controls, implement adaptive authentication policies and limit privileges with the principle of less privilege. Monitoring and responding to abnormal SSO sessions, segmenting access to sensitive data and maintaining continuous employee awareness programmes that include realistic phishing and vishing simulations are measures that reduce the impact of such attacks. Backup, incident response plans and access traceability are also essential to contain and recover from intrusions.

The Figure episode adds to a wave of intrusions in large and small companies in which the combination of social engineering and access to SSO has been particularly effective for attackers. As investigations continue and those responsible meet the legal and regulatory reporting requirements, what can do both users and companies is to act quickly to limit damage and, above all, to change the defence strategy to mechanisms that are less vulnerable to identity suppression.

If you want to follow up on this case, the initial report and company statements are available at TechCrunch the technical breakdown and prosecution of the extorting group appears in public records and security forums, and the summary of the accounts concerned provides it Have I Been Pwned. Keeping informed and taking preventive measures remains, today, the best defence.