// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRC-hibpDTG 0600Z
Breach Record

Figure

DISCLOSED 2026-01-28 · STOLEN CREDS · 967,178 RECORDS EXPOSED

In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked...

The record

What we know

Disclosed
2026-01-28
Attack vector
Stolen Creds
Records exposed
967,178
Domain
figure.com
Data classes exposed
Dates of birthEmail addressesNamesPhone numbersPhysical addresses
Sources

Cited reporting

Similar vector · recent

Other stolen creds breaches on file

This page is the permanent ColdRecon entry for the Figure disclosure. It updates if new public reporting emerges. All tracked breaches →

Figure just lived through this. Your next prospect doesn't have to.

ColdRecon turns every disclosed breach into a daily intelligence brief from the seller's seat — normalized to the factors that move a deal, written in the Handler's voice. Request clearance and the first lands tomorrow at 0600.

Request Clearance →