Brinztech Alert: 1.7 GB Database of Figure Leaked After Okta SSO Compromise

Dark Web News Analysis

Cybersecurity intelligence from February 14, 2026, has confirmed a high-severity data exposure involving Figure Technology Solutions, Inc. The notorious cybercriminal collective ShinyHunters (often operating under the Scattered LAPSUS$ Hunters banner) has published a compressed archive on its Tor-based leak site after Figure reportedly refused to meet a ransom demand.

The breach was not achieved through technical exploits but through highly targeted social engineering. Attackers conducted a Voice Phishing (Vishing) campaign, impersonating internal IT support to trick a Figure employee into providing their Okta SSO (Single Sign-On) credentials. Using a real-time “Adversary-in-the-Middle” (AiTM) phishing kit, the threat actors bypassed multi-factor authentication (MFA) to gain access to the corporate network.+2

The exfiltrated dataset, totaling roughly 2.5 GB in its raw state, includes:

• Personally Identifiable Information (PII): Full names, home addresses, dates of birth, and phone numbers.
• Sensitive Financial Data: Customer financial records and documents related to Figure’s blockchain-based lending.
• KYC (Know Your Customer) Metadata: Documentation used for identity verification.
• Internal Corporate Records: A variety of internal files in .pdf, .csv, .docx, and .json formats.

Key Cybersecurity Insights

The breach of a fintech leader like Figure—valued at over $5 billion following its recent IPO—represents a “Tier 0” threat with massive implications for the financial sector:

• Bypassing MFA via Real-Time Orchestration: This attack proves that traditional push-based or SMS MFA is no longer a sufficient defense against professional extortionists. ShinyHunters used custom kits that synchronize the victim’s interaction on a fake login page with the attacker’s attempt on the legitimate portal, allowing them to capture session tokens instantly.
• Fintech and Blockchain Specific Targeting: Figure’s role in the On-Chain Public Equity Network (OPEN) makes this leak particularly sensitive. Access to internal project files could provide a blueprint for future attacks on decentralized financial (DeFi) infrastructure or the Provenance blockchain.
• Identity Enrichment for Secondary Fraud: The inclusion of dates of birth and home addresses allows other cybercriminals to “enrich” their own databases. This data will likely be sold on dark web forums to help scammers build hyper-convincing profiles for synthetic identity theft and bank fraud.
• The “Blast Zone” of SSO Compromise: Because Figure utilizes Okta as a centralized identity provider, once the attackers gained access to the SSO dashboard, they were able to enumerate and exfiltrate data from multiple connected SaaS platforms (such as Salesforce or Slack) without ever touching Figure’s own servers.

Mitigation Strategies

To protect your digital identity and secure your financial assets, the following strategies are urgently recommended:

• Enforce Phishing-Resistant MFA: All financial and tech-sector organizations must accelerate the transition to FIDO2-compliant hardware keys (e.g., YubiKey) or passkeys. These methods cryptographically bind the authentication to the legitimate domain, neutralizing AiTM phishing kits.+1
• Implement Identity Threat Detection and Response (ITDR): Traditional perimeter defenses are insufficient. Organizations must monitor for anomalous SSO behavior, such as rapid logins to multiple sensitive applications or geographic access patterns that deviate from a user’s known profile.
• Employee Vishing Awareness Training: Training must move beyond email; employees must be trained to recognize sophisticated voice-based social engineering. Establish a strict verification protocol for any IT support call that involves authentication settings.
• Review Third-Party and Shadow SaaS Access: Regularly audit the permissions granted to third-party OAuth applications within your SSO environment. Revoke any access that is no longer necessary or appears suspicious.

Secure Your Future with Brinztech — Global Cybersecurity Solutions

From agile SMEs and global enterprises to national agencies, Brinztech provides the strategic oversight necessary to defend against evolving digital threats. We offer expert consultancy to audit your current IT policies and GRC frameworks, identifying critical vulnerabilities before they can be exploited. Whether you are protecting a local business or a government entity, we ensure your security posture translates into lasting technical resilience—keeping your digital footprint secure, your citizens’ data private, and your future protected.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com