In February 2026, fintech company Figure Technology Solutions confirmed a major data breach affecting nearly 1 million customers. Hackers stole Social Security numbers, loan account details, dates of birth, and other sensitive financial information after tricking an employee through a phone-based social engineering attack. If you ever applied for a loan, refinanced a mortgage, or used any service through Figure, your data may have been exposed.

The breach is especially dangerous because the stolen data includes the exact information criminals need for identity theft and financial fraud. Over 900,000 unique email addresses were exposed alongside Social Security numbers and loan details — a combination that puts affected users at critical risk. Here is everything you need to know, and exactly what to do right now.

What happened in the Figure data breach?

Figure Technology Solutions is a San Francisco-based fintech company known for using blockchain technology to power home equity loans, mortgage refinancing, and personal loans. On January 28, 2026, an unauthorized person gained access to Figure’s internal systems.

The attack was carried out by a hacking group called ShinyHunters. They did not exploit a software vulnerability — instead, they used a technique called voice phishing (or “vishing”). A member of the group called a Figure employee by phone, pretended to be from the company’s IT department, and convinced the employee to hand over their login credentials for Okta, the single sign-on system Figure uses to manage employee access.

Once inside the Okta system, the attackers had access to internal tools and customer databases. They spent time inside the network collecting data before Figure detected the intrusion.

Figure publicly confirmed the breach on February 13, 2026, after multiple reports surfaced about the incident. ShinyHunters later published approximately 2.5 gigabytes of stolen data on dark web forums after Figure refused to pay a ransom demand.

Who is affected by the Figure breach?

Anyone who has ever used a Figure product or service could be affected. This includes people who:

  • Applied for a home equity line of credit (HELOC) through Figure
  • Refinanced a mortgage through Figure’s platform
  • Took out a personal loan with Figure
  • Created an account on Figure’s website, even if they never completed an application
  • Used Figure’s blockchain-based financial services

The breach exposed over 900,000 unique email addresses, as of April 2026. That number may grow as the investigation continues. You do not need to be a current customer — if you applied years ago, your data was likely still in their systems.

What data was exposed in the Figure breach?

This is a critical-risk breach. The stolen data includes:

  • Full names — can be used for targeted phishing and impersonation
  • Email addresses — will be used for phishing attacks and spam
  • Phone numbers — can be used for phone scams and SIM swapping
  • Physical home addresses — can be used for mail fraud and identity theft
  • Dates of birth — used to pass identity verification questions
  • Social Security numbers — the most dangerous piece of data, used for identity theft, opening fraudulent accounts, and filing fake tax returns
  • Loan account numbers — can be used for financial fraud
  • Loan information — details about loan amounts, terms, and status

The combination of Social Security numbers with names, dates of birth, and addresses is the worst-case scenario for a breach. This is everything a criminal needs to open credit cards, take out loans, or file tax returns in your name.

How can you check if your email was in the Figure breach?

Figure began notifying affected individuals on February 24, 2026 — nearly a month after the breach occurred. Many people did not receive their notification because the emails landed in spam folders or were sent to old email addresses.

Do not wait for a notification. You can check right now whether your email appeared in the Figure breach or any other known breach.

Check your email for free on EmailLeaked — it scans industry-standard breach data sources covering over 12 billion records from 962+ known breaches. The check takes under 10 seconds and shows you exactly what data was exposed.

If your email appears in the Figure breach specifically, you will see it listed with the types of data that were compromised. Even if you are not in the Figure breach, you may discover your email appeared in other breaches you did not know about.

What should you do right now if you are affected?

If you used Figure or your email appears in this breach, take these five steps immediately. Do not wait — the stolen data has already been published on the dark web.

Step 1 — Freeze your credit at all three bureaus. This is the single most important step because Social Security numbers were stolen. A credit freeze prevents anyone from opening new accounts in your name. Contact each bureau directly:

  • Equifax: 1-800-685-1111 or equifax.com
  • Experian: 1-888-397-3742 or experian.com
  • TransUnion: 1-800-916-8800 or transunion.com

A credit freeze is free, takes about 10 minutes per bureau, and does not affect your credit score.

Step 2 — Change your passwords immediately. Change the password on your Figure account and on every other account where you used the same email and password combination. Use a unique password of at least 16 characters for each account. A password manager makes this manageable.

Step 3 — Enable two-factor authentication everywhere. Turn on two-factor authentication on your email account, banking apps, and any financial services. Use an authenticator app (like Google Authenticator or Authy) rather than SMS codes, since phone numbers were also exposed in this breach and SIM swapping is a real risk.

Step 4 — Monitor your financial accounts closely. Check your bank statements, credit card activity, and loan accounts daily for the next 90 days. Set up transaction alerts if your bank offers them. Report any unfamiliar charges immediately.

Step 5 — File an IRS Identity Protection PIN. Because Social Security numbers were stolen, tax fraud is a real concern. Go to irs.gov/ippin and request an Identity Protection PIN. This six-digit number is required to file a tax return under your Social Security number, which stops criminals from filing a fraudulent return in your name.

How did the hackers get in and could this have been prevented?

The Figure breach happened through social engineering — specifically, a voice phishing attack. A ShinyHunters member called a Figure employee, posed as IT support, and persuaded the employee to share their Okta login credentials. This gave the attackers access to Figure’s single sign-on system, which controls access to internal tools and databases.

This type of attack is becoming increasingly common, as of 2026. Voice phishing bypasses many of the technical security measures companies invest in because it targets people, not software. No firewall or encryption can stop an employee from voluntarily handing over their password on a phone call.

Could it have been prevented? Most security experts say yes. Phishing-resistant authentication methods — such as hardware security keys — would have made the stolen credentials useless even if the employee was tricked. Companies handling sensitive financial data like Social Security numbers have a responsibility to implement these stronger protections.

Figure has not disclosed exactly what security improvements it has made since the breach. Multiple class action lawsuits have already been filed against the company for failing to adequately protect customer data and for the delay in notifying affected individuals.

What is the timeline of the Figure breach?

Here is what happened and when:

  • January 28, 2026 — Unauthorized access occurs through social engineering of a Figure employee
  • Early February 2026 — Security researchers and journalists report signs of a breach
  • February 13, 2026 — Figure publicly confirms the breach
  • February 24, 2026 — Figure begins sending notification letters to affected individuals
  • March 2026 — ShinyHunters publishes 2.5 GB of stolen data on dark web forums after ransom is refused
  • March–April 2026 — Class action lawsuits are filed; investigation continues

The gap between the breach on January 28 and notifications on February 24 — nearly a full month — has drawn criticism. During that time, affected individuals had no idea their Social Security numbers and financial data were in the hands of criminals. Several of the class action lawsuits specifically cite this notification delay as a potential violation of state data breach notification laws.

How can you protect yourself from breaches like this in the future?

No one can prevent a company from getting breached. But you can limit the damage when it happens:

  • Use a unique password for every account. If one site is breached, no other account is affected. A password manager generates and stores unique passwords for you.
  • Enable two-factor authentication on every account that offers it. Even if your password is stolen, attackers cannot get in without the second factor. Read our full guide on two-factor authentication.
  • Freeze your credit proactively. You can freeze and unfreeze your credit for free whenever you need to. Keeping it frozen by default prevents anyone from opening accounts in your name.
  • Minimise the data you share. Before signing up for a service, ask yourself whether you really need to give them your Social Security number, date of birth, or home address. The less data a company stores, the less can be stolen.
  • Check your email regularly. Use EmailLeaked to scan your email against known breaches. New breaches are added constantly, so checking periodically helps you catch exposures early.

For a complete walkthrough of post-breach steps, read our guide on what to do after a data breach.

Frequently asked questions

How many people were affected by the Figure data breach?

Nearly 1 million people were affected. The breach exposed over 900,000 unique email addresses along with Social Security numbers, loan data, and other personal information. The final number may increase as the investigation continues.

What data was stolen in the Figure breach?

The stolen data includes names, email addresses, phone numbers, physical addresses, dates of birth, Social Security numbers, loan account numbers, and loan information. This combination makes it a critical-risk breach because it provides everything needed for identity theft.

Who was behind the Figure data breach?

The hacking group ShinyHunters claimed responsibility for the attack. They used voice phishing — a phone call pretending to be IT support — to trick a Figure employee into sharing their Okta single sign-on credentials. ShinyHunters is a well-known group responsible for dozens of major breaches.

When did the Figure breach happen?

Unauthorized access occurred on January 28, 2026. Figure publicly confirmed the breach on February 13, 2026, and began notifying affected individuals on February 24, 2026. The nearly month-long gap between the breach and notifications has been cited in multiple lawsuits.

Is Figure offering free credit monitoring?

Figure has offered affected individuals a period of free credit monitoring and identity theft protection services. Details are included in the notification letters being sent to affected individuals. However, credit monitoring only alerts you after fraud happens — a credit freeze actually prevents it.

Should I close my Figure account?

If you no longer use Figure’s services, closing your account is reasonable. However, closing the account does not undo the breach — your data has already been stolen and published. The priority should be freezing your credit, changing passwords, and enabling two-factor authentication on all your other accounts.