In a recent alarming cybersecurity incident, nearly one million individuals have had their personal information exposed following a breach at Figure Technology Solutions, a fintech lender that leverages blockchain technology for lending and securities trading. The breach, which stemmed from a sophisticated social engineering attack, has highlighted the vulnerabilities not of technology itself, but of the human element within organizations. Award-winning tech journalist Kurt “The CyberGuy” Knutsson breaks down the details of this incident, its implications, and practical steps consumers can take to protect themselves in an increasingly digital and interconnected financial landscape.
### The Breach: What Happened at Figure Technology Solutions?
Figure Technology Solutions, founded in 2018, is known for its innovative use of blockchain—specifically the Provenance blockchain—to facilitate lending, borrowing, and securities trading. Through partnerships with banks, credit unions, fintech firms, and home improvement companies, Figure claims to have unlocked over $22 billion in home equity, positioning itself as a leader in blockchain-based financial services.
However, despite the company’s reliance on blockchain’s touted security features, nearly 1 million customer accounts were compromised in a breach revealed through data shared on “Have I Been Pwned,” a popular online resource for tracking data leaks. The compromised data included nearly 967,200 accounts with over 900,000 unique email addresses, plus sensitive personal details such as names, phone numbers, physical addresses, and dates of birth. This kind of information is a treasure trove for identity thieves and fraudsters.
Importantly, the breach did not occur because the blockchain technology itself was hacked or compromised. Instead, it was the result of a social engineering attack, where an employee at Figure was deceived into granting access to an unauthorized actor. In the company’s own words, “an employee was socially engineered, and that allowed an actor to download a limited number of files through their account.” The company took immediate action by blocking the suspicious activity, hiring a forensic firm to investigate the extent of the breach, notifying affected individuals, and offering complimentary credit monitoring services.
### The Human Factor: Why Social Engineering is a Major Threat
This incident underscores a critical point that is often overlooked in discussions about cybersecurity: attackers frequently bypass complex technological defenses by targeting humans. Social engineering exploits human trust and error rather than system vulnerabilities. In this case, Figure’s robust blockchain platform could not prevent the breach because the attacker manipulated an employee into unwittingly providing access.
Groups like ShinyHunters, which reportedly claimed responsibility for the Figure breach, specialize in these tactics. They have also targeted other major companies recently, including Canada Goose, Panera Bread, and SoundCloud, utilizing similar methods. Their modus operandi often involves impersonating IT support personnel, creating a sense of urgency, and directing employees to fake login portals that closely mimic legitimate ones. Employees who enter their credentials and multi-factor authentication codes inadvertently hand over the keys to secure single sign-on systems that connect to critical platforms such as Microsoft and Google. Once inside, attackers can move laterally through connected systems and access sensitive data.
### The Broader Implications: What This Means for You
If your data was part of the Figure breach, criminals now possess enough personal details to craft highly convincing phishing emails or phone scams. Scammers may impersonate lenders or banks, referencing your real name, phone number, or home address to gain your trust and extract further information or money. Even if you never applied for a loan through Figure, this breach serves as a stark reminder that no company or technology is impervious to human error.
The incident reveals a broader truth about cybersecurity: technology, no matter how advanced, cannot fully protect sensitive information if employees are not adequately trained or vigilant. Blockchain, often marketed as a secure and transparent platform, offers strong cryptographic protection, but it cannot prevent an employee from being deceived over the phone or email. The breach is not a failure of blockchain technology but rather a failure of trust and human security protocols.
As financial services increasingly move online, the attack surface expands. Online loan applications, identity verification tools, and cloud-based systems offer convenience but also create new vulnerabilities that cybercriminals are eager to exploit. Attackers focus on the human layer because it is often the easiest way to bypass even the most sophisticated technological defenses.
### What You Can Do to Protect Yourself
While you cannot control how companies secure their systems, you can take proactive steps to protect your personal information and respond appropriately if you suspect your data has been compromised.