Figure Technology Data Breach Hits Nearly 1 Million Accounts

February 20, 2026FinTech News
Figure Technology Data Breach Hits Nearly 1 Million Accounts

Figure Technology has disclosed a data breach affecting nearly 1 million accounts, exposing personal contact and account information arising from a third-party vendor compromise.

Figure Technology, a fintech known for blockchain-based lending, payments and asset-tokenisation services, has confirmed a significant data breach that exposed the personal information of nearly 1 million individuals across its platforms. According to the company’s latest notification to affected users and regulators, the incident involved unauthorised access to customer data — including names, email addresses, postal addresses, phone numbers and limited financial account details — resulting from a compromise of a third-party vendor linked to Figure’s technology stack. While Figure says no passwords or full payment card data were accessed, the breach raises fresh concerns about digital identity security and vendor risk in the rapidly expanding fintech ecosystem.

The breach was discovered following unusual activity identified by internal monitoring and cybersecurity partners, prompting a swift containment response and engagement with forensic investigators. Figure has commenced regulatory notifications, offered credit monitoring services to impacted users and recommended steps to mitigate identity risk. This episode adds to a series of high-profile security incidents across financial services and technology providers, underscoring the ongoing need for robust cyber defences — particularly for companies bridging traditional finance with blockchain-enabled services.

Key Highlights

  • Data breach confirmed: Figure Technology has reported a security incident affecting nearly 1 million accounts.
  • Scope of data exposed: Names, email addresses, postal addresses, phone numbers and partial account information were compromised.
  • Vendor-linked incident: The breach stemmed from unauthorised access through a third-party service provider.
  • No passwords or full card numbers accessed: Figure says sensitive login credentials and full card details were not exposed.
  • Response measures: Affected users are being notified and offered complimentary credit monitoring.
  • Industry context: Highlights ongoing cyber risk concerns for fintechs and digital financial platforms.

Details of the Breach

According to notifications shared with users and regulators, the breach involved a third-party software component used by Figure that was exploited by threat actors. While Figure’s own core systems are not believed to have been directly compromised, the incident underscores the systemic risk posed by interconnected vendor ecosystems that underlie digital financial services today.

The exposed fields reportedly include:

  • User names
  • Email addresses
  • Postal addresses
  • Phone numbers
  • Account identifiers or partial account references (non-complete card or payment data)

The company has emphasised that login credentials (passwords) and full payment card numbers were not accessed in the incident, reducing, but not eliminating, the risk of unauthorised use of accounts or payments. Figure’s security and compliance teams, in consultation with external forensic specialists, are continuing to investigate the intrusion and implement remediation steps.

Company Response and User Guidance

In its communications to customers, Figure disclosed the breach details and outlined support measures, including:

  • Free credit monitoring and identity protection services for affected individuals for at least 12 months.
  • Recommendations to enable multi-factor authentication (MFA) and update passwords where appropriate (e.g., for accounts on connected platforms).
  • Guidance on how to spot and report phishing attempts, unusual account activity and identity fraud.

The company also affirmed that it has notified relevant data protection authorities in jurisdictions where affected users reside, in accordance with applicable breach notification laws.

Why This Matters

1. Rising Cyber Risk in Fintech

Fintechs like Figure sit at the intersection of traditional banking and emerging technologies such as blockchain and smart contracts. Their rapid growth, complex tech stacks and reliance on multiple vendors and APIs create expanded attack surfaces that cybercriminals are increasingly targeting. High-profile breaches erode trust and highlight the need for robust security frameworks across the entire vendor ecosystem.

2. Vendor-Linked Vulnerabilities

Many security incidents do not originate in the host firm’s core systems but instead leverage weaknesses in third-party components — from payment processors and analytics tools to CRM or software libraries. Managing third-party risk is now a central concern for CISOs and compliance teams, requiring continuous assessment, contractual safeguards and deep visibility into vendor security practices.

3. Consumer Identity and Fraud Risk

Although this breach did not expose full card numbers or passwords, the combination of personal information — especially email addresses and contact details — can be leveraged in phishing campaigns, social engineering and account takeovers on other platforms. Prompt issuance of credit monitoring and clear user guidance is essential to mitigate downstream fraud risk.

Market and Regulatory Context

Data breaches in the financial sector continue to attract regulatory scrutiny across major jurisdictions, from the European Union’s GDPR breach notification regime to US state-by-state data protection laws and financial regulators’ cyber incident reporting requirements. Companies that fail to adequately protect customer data or delay notification risk fines, enforcement action and reputational damage.

For fintechs, navigating these requirements — particularly when services span multiple countries — adds complexity to breach response and compliance efforts.