Blockchain-based fintech Figure just disclosed a massive data breach affecting close to one million customers, marking one of the largest financial services security incidents of 2026. The attack, attributed to the notorious ShinyHunters hacking group, exposed names, dates of birth, physical addresses, phone numbers, and email addresses - a treasure trove for identity thieves. For a company that's raised over $1 billion and positions itself as a secure alternative to traditional finance, the breach raises serious questions about security infrastructure in the crypto lending space.
Figure, the San Francisco-based fintech that's built a blockchain lending empire worth over $3.2 billion, just became the latest high-profile victim of the cybercrime wave hitting financial services. The company disclosed that hackers infiltrated its systems and made off with personal information belonging to close to one million customers - a breach that security experts are calling one of 2026's most significant fintech incidents so far.
The stolen data includes customer names, dates of birth, physical addresses, phone numbers, and email addresses, according to breach notification documents. While Figure emphasized that financial account numbers, Social Security numbers, and loan details weren't compromised, the exposed information is exactly what identity thieves need to launch phishing campaigns, conduct social engineering attacks, or piece together fuller profiles from other breached databases.
Cybersecurity researchers have linked the attack to ShinyHunters, a prolific hacking collective that's been on a tear through major corporations. The group previously claimed responsibility for breaches at Microsoft, AT&T, and Ticketmaster, often selling stolen data on dark web marketplaces for cryptocurrency. Their involvement suggests this wasn't an opportunistic attack - ShinyHunters typically targets high-value companies with deep customer databases.
