Figure Breach: 967K Accounts Exposed

Overview

In February 2026, a significant data breach at the fintech lending platform Figure exposed the sensitive personal information of nearly one million individuals. The company confirmed that the breach was the result of a social engineering attack, where an employee was deceived into providing system access to an unauthorized party. The stolen data, which dates back to January 2026, was subsequently posted publicly online. This incident highlights how even sophisticated financial technology companies can be vulnerable to human-error-based attacks, putting their customers at serious risk.

What Was Exposed

The breach exposed a comprehensive set of personal identifiable information (PII). For the 967,178 affected accounts, the following data was compromised:

• Email Addresses & Names: The primary contact identifiers, which can be used to target you with convincing phishing scams.
• Phone Numbers: Often used for two-factor authentication or targeted smishing (SMS phishing) attacks.
• Physical Addresses: This information can be used for identity theft, targeted physical fraud, or to build a more complete profile of a victim.
• Dates of Birth: A critical piece of information for verifying identity with banks, government agencies, and other services.

Potential Impact

The exposure of this combined dataset creates a HIGH severity risk. Cybercriminals can use this information to execute highly targeted and convincing attacks. The primary risks include:

• Identity Theft: With your full name, address, and date of birth, criminals may attempt to open new lines of credit, file fraudulent tax returns, or access other accounts in your name.
• Sophisticated Phishing & Scams: Armed with your personal details, attackers can craft extremely believable emails, texts, or phone calls pretending to be from Figure, your bank, or other trusted institutions to steal passwords or financial information.
• Account Takeover: Using exposed data to answer security questions or bypass verification steps on other platforms.
• Physical Security Concerns: In rare cases, exposed addresses could lead to targeted physical threats or fraud.

Recommendations

If you have or had an account with Figure, take these steps immediately to protect yourself:

1. Change Your Figure Password: Immediately update your password on the Figure platform. If you use this password anywhere else, change it on those sites as well. Never reuse passwords.
2. Enable Multi-Factor Authentication (MFA): If Figure offers MFA (also called 2FA), enable it immediately. This adds a critical layer of security beyond just a password.
3. Beware of Targeted Phishing: Be extremely cautious of any unsolicited communication referencing your Figure account or your personal details. Do not click links or download attachments. Contact the company directly through their official website or app if in doubt.
4. Monitor Financial Accounts & Credit: Closely review statements from your bank, credit card companies, and other financial institutions for any unauthorized activity. Consider placing a free fraud alert on your credit file with the three major bureaus (Equifax, Experian, TransUnion). For the highest level of protection, you may opt for a credit freeze.
5. Stay Vigilant: Be alert for signs of identity theft, such as unexpected bills, denials of credit, or missing mail.

How to Check If You’re Affected

The breach has been reported to the credential monitoring service Have I Been Pwned. You can easily check if your email address was included in this incident:

1. Visit the website: haveibeenpwned.com
2. Enter your primary email address (and any others you may have used with Figure) into the search bar.
3. The service will tell you if your data was found in the Figure breach, along with any other known breaches.

Even if you are not shown as affected, if you are a Figure customer, it is prudent to follow the recommendations above as a precautionary measure.