A data breach extortion group has leaked personal information from nearly 1 million customer accounts, stolen from blockchain-based lender Figure Technology Solutions.
Data breach notification service Have I Been Pwned added the incident to its database on Wednesday, noting that the exposure impacts approximately 967,000 unique email addresses, along with names, physical addresses, phone numbers and dates of birth.
The threat actor group ShinyHunters claimed responsibility for the attack and the subsequent data leak. The group has targeted several financial technology companies in recent months not with exploits of technical vulnerabilities but social engineering tactics — manipulating employees rather than hacking computer systems.
A spokesperson for Figure told American Banker that the breach occurred when “an employee was socially engineered, and that allowed an actor to download a limited number of files through their account.” The spokesperson said the company “acted quickly to block the activity and retained a forensic firm to investigate what files were affected.
“We understand the importance of these matters and are communicating with partners and those impacted as appropriate,” Figure’s spokesperson said. “We are also implementing additional safeguards and training to further strengthen our defenses.”
ShinyHunters claimed on its data leak site that it stole over 1 million records with personally identifiable information. The group also published supposed screenshots of internal Slack conversations between Figure employees about the threat actor’s tactics.
Source: Bloomberg