ShellCodeX
Tools โ€ข Events โ€ข News โ€ข Insights
ShellCodeX Breach Report

Figure Data Breach

figure.com
Limited exposure
Verified breach
Accounts exposed 967,178
Breach date 28 Jan 2026
Added to tracker 18 Feb 2026
Data classes 5

What happened

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access.

Exposed data

Dates of birth Email addresses Names Phone numbers Physical addresses

Recommended actions

  • Watch for targeted phishing emails referencing Figure โ€” attackers weaponise breach data quickly.
  • Stay alert for smishing (SMS phishing) and SIM-swap attempts using your phone number.
  • Exposed identity data raises identity-theft risk โ€” consider credit monitoring or a credit freeze.
  • Check whether your email address appears in this breach on haveibeenpwned.com.
Am I affected? Check whether your email address appears in this breach.
Check on HIBP