Figure Breach: 967K Accounts Exposed

Overview

In February 2026, a dataset containing the personal information of 967,178 users of the fintech lending platform Figure was publicly posted online. The exposed records, dating from January 2026, include email addresses, full names, phone numbers, physical addresses, and dates of birth. Figure confirmed the incident to Have I Been Pwned (HIBP), where affected users can now search their email addresses. The breach raises significant concerns about identity theft and targeted social engineering, particularly given the sensitive financial context of Figure’s user base.

What Was Exposed

The breach exposed a comprehensive set of personally identifiable information (PII), including:

• Email Addresses – Enable targeted phishing campaigns.
• Full Names and Physical Addresses – Facilitate identity verification fraud.
• Phone Numbers – Risk of vishing and smishing attacks.
• Dates of Birth – A key piece of information for identity theft and account recovery bypass.

Notably absent from the exposed data are Social Security numbers, bank account details, or loan-specific information, which may limit the immediate financial damage but does not reduce the risk of identity fraud.

Why This Matters for Figure Users

Figure operates in the lending and home equity space, meaning its users have likely provided additional financial documentation during onboarding. While those documents were not exposed in this incident, the combination of PII raises the risk of:

• Account takeover – Attackers could use the exposed data to call Figure’s support line and attempt to reset security details.
• Synthetic identity fraud – Criminals can combine real names, addresses, and birth dates with fabricated data to open new credit lines.
• Phishing attacks – Emails or text messages referencing the breached data may trick users into providing further sensitive information.

Given that the data was posted publicly and not sold on a closed forum, the window for exploitation is immediate and broad.

How the Breach Happened

Figure has not released a full technical postmortem. However, the timestamps in the dataset suggest the data was exfiltrated in January 2026, approximately one month before it was dumped online. This pattern - a lag between theft and disclosure - is common in incidents involving misconfigured databases or compromised internal credentials. No ransomware group has claimed responsibility, and there is no evidence of a known CVE being exploited at this time. Users should follow the cybersecurity news for any updates from Figure.

How to Check If You’re Affected

If you have a Figure account, the fastest way to check is to visit Have I Been Pwned and search your email address. The site will confirm whether your email appears in this specific breach. You can also monitor Figure’s official communications for breach notification letters, which they are required to send under state data breach notification laws.

What to Do Right Now

1. Freeze your credit – Even without SSN exposure, free soft credit checks at Experian, Equifax, and TransUnion to prevent new account openings.
2. Enable two-factor authentication (2FA) on your Figure account and any other online accounts that share your email or phone number.
3. Be phishing-aware – Do not click links in unsolicited emails or texts claiming to be from Figure. Navigate directly to the official website or app.
4. Watch for account takeover attempts – Monitor your Figure account for unauthorized login attempts or changes to your profile.

Security Insight

This breach highlights the persistent risk of data aggregation in fintech. Figure’s response - confirming the incident and reporting it to HIBP - is a best practice, but the exposure of date of birth alongside other PII is particularly dangerous in the lending industry, where account recovery questions often rely on that field. Unlike credential-stuffing attacks on payment platforms, this is a deliberate dump of raw PII, suggesting the attacker had direct database access rather than a web vulnerability. The true measure of Figure’s security posture will be whether they can demonstrate that no financial data was accessed, and whether they commit to an independent audit of their data storage practices.

Further Reading

• Arelle unauthenticated RCE (CVE-2026-42796)
• CVE-2026-32974: OpenClaw Auth Bypass — Patch Guide
• Home Assistant exposes unauthenticated endpoints
• All High Breaches
• Recent Data Breaches