Blockchain lender Figure confirms data breach

Blockchain-based lending company Figure Technology has confirmed a data breach, according to a statement given to TechCrunch by spokesperson Alethea Jadick.

Jadick stated on Friday that the breach occurred through a social engineering attack targeting an employee, allowing hackers to steal “a limited number of files.” The company is now communicating with those impacted and its partners, and is offering free credit monitoring to all individuals who receive a notice.

Despite the confirmation, Figure’s spokesperson did not answer specific questions regarding the incident.

The hacking group ShinyHunters claimed responsibility for the hack on its dark web leak site, alleging that Figure refused to pay a ransom. The group subsequently published 2.5 gigabytes of purportedly stolen data.

TechCrunch reviewed a portion of the published data, which contained sensitive customer information, including full names, home addresses, dates of birth, and phone numbers.

A member of ShinyHunters informed TechCrunch that Figure was among several victims, including Harvard University and the University of Pennsylvania (UPenn), of a broader hacking campaign targeting customers of the single sign-on provider Okta.

The method described by the attackers aligns with a recent surge in identity-based attacks, where threat actors bypass standard security measures by compromising administrative accounts.

By targeting the single sign-on infrastructure, groups like ShinyHunters can potentially gain elevated access to a wide range of downstream applications and internal systems, making remediation significantly more complex for the affected organizations.

Security experts are urging companies to implement phishing-resistant authentication methods, such as hardware security keys, to better defend against these aggressive social engineering tactics.