Figure Technology Solutions, Inc. on behalf of Figure Lending LLC, Figure Markets Credit LLC, and Figure Payments Corporation. Data Breach Analysis

Figure Technologies Breach Exposes Financial Data of Blockchain Lending Customers

A security incident at Figure Technologies, one of the most prominent blockchain-based lending platforms in the United States, has resulted in the unauthorized access of customer financial data including bank account numbers and routing information. The breach, discovered on January 28, 2026, affects customers across multiple Figure subsidiaries and potentially extends to clients of partner lenders who utilize Figure's loan servicing technology.

What Happened

Figure Technology Solutions, Inc. disclosed that unauthorized actors gained access to company databases containing loan and loan inquiry data through what the company describes as unauthorized "queries" on their systems. The breach impacted Figure Lending LLC, Figure Markets Credit LLC, and Figure Payments Corporation—the core operating entities of the Figure ecosystem.

Upon discovery, Figure stated it "acted quickly to stop the activity and enhance security measures" while engaging a leading cybersecurity firm to conduct a forensic investigation. The company also reported the incident to law enforcement.

What makes this breach particularly noteworthy is Figure's position in the financial technology landscape. The company pioneered the use of blockchain technology for home equity lines of credit (HELOCs) and has processed billions of dollars in loans since its founding in 2018. Figure also provides technology infrastructure and loan administrative services to other financial institutions, meaning the breach's impact may extend well beyond direct Figure customers.

Timeline of Events

Based on the notification letter and available information, the breach timeline appears compressed:

• January 28, 2026: Unauthorized activity discovered on Figure systems
• January 28, 2026: Data containing personal information obtained through database queries
• Late January 2026: Cybersecurity firm engaged; law enforcement notified
• Late January/Early February 2026: Customer notification process initiated
• May 31, 2026: Deadline for affected individuals to enroll in credit monitoring services

The same-day discovery and exfiltration date suggests either a rapid-moving attack or that Figure's detection capabilities identified the intrusion quickly. However, the notification does not clarify how long attackers may have had access to systems before the January 28 data exfiltration event.

Data Exposed

The compromised information includes:

• Full names
• Physical addresses
• Bank account numbers
• Bank routing numbers

Notably, Figure emphasized that Social Security Numbers were not affected, nor was there evidence of unauthorized access to customer accounts or funds. The company stated that business operations continued uninterrupted and that accounts "have strong safeguards in place."

The exposure of bank account and routing numbers is particularly concerning in the financial services context. This combination of data elements enables ACH fraud, unauthorized debits, and sophisticated social engineering attacks where fraudsters pose as legitimate financial institutions with accurate account details in hand.

Attack Vector Analysis

The notification letter describes the attack mechanism as "unauthorized activity" involving "queries on company databases that store loan and loan inquiry data." This phrasing suggests several possible scenarios:

SQL Injection or API Exploitation: Attackers may have exploited vulnerabilities in Figure's web applications or APIs to execute unauthorized database queries. This is a common attack vector against financial services platforms that expose customer-facing interfaces.

Compromised Credentials: An attacker with valid database credentials—obtained through phishing, credential stuffing, or an insider threat—could execute legitimate-looking queries to extract bulk data.

Third-Party Integration Weakness: Given Figure's role as a technology provider to other lenders, the attack may have exploited integration points between Figure's systems and partner platforms.

The use of the term "queries" rather than "data exfiltration" or "download" is unusual and may indicate that the attacker accessed data through the application layer rather than directly copying database files. This distinction matters for understanding both the sophistication of the attack and the potential scope of data accessed.

Figure's blockchain infrastructure, while innovative for loan origination and tracking, operates separately from traditional database systems that store customer PII. The breach appears to have targeted conventional databases rather than blockchain components—a reminder that blockchain adoption does not eliminate traditional security risks.

Impact Assessment

Direct Customer Impact

Affected individuals face elevated risk of:

• ACH Fraud: With bank account and routing numbers, attackers can initiate unauthorized debits or set up fraudulent payment arrangements
• Account Takeover Preparation: The stolen data provides baseline information for more targeted attacks
• Spear Phishing: Detailed knowledge of a victim's lending relationship enables highly convincing fraudulent communications

Figure is offering 24 months of credit monitoring through TransUnion's Cyberscout service, though credit monitoring has limited utility when the exposed data is bank account information rather than identity elements like SSNs.

Partner Lender Exposure

Figure explicitly states it provides "technology and loan administrative services to other lenders and business partners, which may have included the origination and/or servicing of a loan you have with our business partner lenders." This means customers of other financial institutions may be affected even if they have no direct relationship with Figure.

This third-party exposure exemplifies the concentration risk inherent in financial services technology platforms. When a single provider processes loans for multiple institutions, a breach at that provider creates systemic exposure across the industry.

Regulatory Considerations

As a company operating in mortgage lending, payments, and digital assets, Figure operates under multiple regulatory frameworks:

• GLBA (Gramm-Leach-Bliley Act): Requires financial institutions to explain information-sharing practices and protect sensitive data
• State Data Breach Notification Laws: The Maine Attorney General filing indicates compliance with state notification requirements
• CFPB Oversight: Figure's lending operations fall under Consumer Financial Protection Bureau jurisdiction
• State Lending Regulations: Mortgage and HELOC products are subject to state-level regulatory requirements

The CFPB has increasingly focused on data security at fintech companies, and this breach may attract regulatory scrutiny given Figure's scale and the nature of data exposed.

Lessons for Financial Services

Database Security Fundamentals

The breach underscores that regardless of innovative technology deployments, organizations must maintain rigorous controls over conventional data stores. Key practices include:

• Query Monitoring and Anomaly Detection: Real-time monitoring of database queries for unusual patterns, volumes, or access times
• Principle of Least Privilege: Ensuring applications and users have only the minimum database access required for their functions
• Data Segmentation: Storing sensitive elements like full account numbers in segregated, additionally protected systems

Third-Party Risk Management

Financial institutions using technology platforms like Figure must reassess their vendor risk management programs. Questions to consider:

• What customer data is stored with technology providers?
• What security certifications and audit reports (SOC 2, penetration testing) are current?
• How are incidents at technology providers communicated to downstream institutions?
• Are contractual provisions for breach notification and liability adequate?

Incident Response Transparency

Figure's notification provides limited technical detail about the attack vector, which is common but increasingly unsatisfying to security professionals and regulators. The industry trend is moving toward greater transparency in breach disclosures, as exemplified by the SEC's 2023 cybersecurity disclosure rules requiring material incident reporting.

Looking Ahead

The Figure breach arrives as fintech companies face intensifying scrutiny over data security practices. With the Biden administration's increased focus on financial services cybersecurity and state attorneys general actively investigating breach patterns, technology-driven lenders must demonstrate security maturity that matches their innovation claims.

For affected individuals, the immediate priority is monitoring bank accounts for unauthorized activity—not just credit reports. Consider setting up transaction alerts with your financial institution and remaining vigilant for communications claiming to be from Figure or partner lenders, which may be phishing attempts leveraging stolen data.

As more details emerge from Figure's investigation and potential regulatory inquiries, FinSecLedger will continue tracking this incident's developments and implications for the financial services sector.