When Fintech Giants Stay Silent, Security Experts Speak Up

967,200 customers just learned their trust was misplaced

When blockchain lending giant Figure announced a data breach last week, they called it "a limited number of files." Security researcher Troy Hunt had a different story to tell. After analyzing the stolen data published by hackers, Hunt found 967,200 unique email addresses belonging to Figure customers.

The breach wasn't just about email addresses. The 2.5 gigabytes of stolen data included customer names, birth dates, physical addresses, and phone numbers—a complete identity toolkit for cybercriminals. The notorious hacking group ShinyHunters claimed responsibility and published the data on their leak site, where they shame victims who refuse to pay ransom demands.

Corporate Speak vs. Reality Check

Figure's carefully worded statement about "limited files" stands in stark contrast to Hunt's findings. The company hasn't disputed the researcher's analysis, nor have they responded to requests for comment about the actual scope of the breach.

This disconnect between corporate damage control and independent security analysis has become a familiar pattern in fintech breaches. Companies minimize, researchers quantify, and customers are left wondering who to believe.

Hunt, who runs the Have I Been Pwned breach notification service, has built a reputation for cutting through corporate euphemisms with hard data. His analysis carries weight because he actually examines the stolen files, not just the press releases.

The Fintech Security Paradox

Figure built its reputation on making lending faster and more accessible through blockchain technology. But this breach highlights a fundamental tension in fintech: the same digital-first approach that enables innovation also creates new attack surfaces.

Traditional banks may be slower to innovate, but they've had decades to build security infrastructure. Fintech companies, racing to capture market share, often treat security as a cost center rather than a competitive advantage—until breaches like this force a reckoning.

ShinyHunters didn't target Figure randomly. The group specializes in hitting companies with valuable personal data and weak security postures. Their success suggests Figure's defenses weren't match for determined attackers.

The Regulatory Response Gap

While Figure downplays the breach's scope, regulators are watching. The company operates in multiple states, each with different data protection requirements. Some mandate specific notification timelines and disclosure standards that Figure may now be navigating.

The contrast with traditional banking regulation is stark. Banks face regular security audits and must meet specific cybersecurity standards. Many fintech companies operate in regulatory gray areas, with oversight that varies by state and service type.