Figure Technology Solutions is the largest nonbank home equity line of credit lender in the United States. They process sensitive financial data for hundreds of thousands of borrowers. They went public in September 2025. They use Okta for single sign-on, as most modern companies do.
In January 2026, someone called one of their employees and pretended to be from IT support. The employee, following what felt like a routine internal request, handed over their credentials and multi-factor authentication code.
That phone call exposed the personal data of 967,000 Figure customers. ShinyHunters posted 2.5 gigabytes of stolen data on their dark web leak site on February 13, 2026, the same day Figure announced a secondary stock offering. Figure refused to pay ransom. The data went public.
How a phone call becomes a million-account breach
Voice phishing, known as vishing, is one of the oldest social engineering techniques. The attacker calls an employee, impersonates a trusted internal or external authority, creates urgency, and extracts credentials before the employee has time to question what’s happening.
What makes vishing particularly effective against cloud-first companies in 2026 is single sign-on. Okta, Microsoft Entra, Google Workspace — when every company application runs through one SSO layer, one compromised credential is not one application’s problem. It is every application’s problem simultaneously.
This is not an isolated incident. It is a campaign.
The Figure breach is one of more than 100 organizations targeted by ShinyHunters in the same voice phishing campaign targeting SSO providers. The list of confirmed victims reads across industries and company sizes.
Betterment
SoundCloud
Match Group
Canada Goose
Panera Bread
Harvard University
UPenn
100+ more
Google Threat Intelligence published a report in January 2026 describing the escalation of vishing operations by groups associated with ShinyHunters. The playbook is consistent: impersonate IT or security staff, target employees with SSO access, harvest credentials and MFA codes in real time, authenticate using the stolen session before the MFA code expires.
The attackers are bypassing technical security entirely. No exploit needed. No vulnerability in the code. Just a phone call to the right person at the right moment, and a set of credentials that opens every door.
Why this is harder to stop than a technical attack
Technical attacks leave artifacts. A WAF can block a malicious request. An EDR can flag a credential-harvesting process. A CSPM can detect an unusual access pattern in the cloud environment. The security infrastructure intercepts the attack at some point in the chain.
Vishing produces valid credentials. The attacker logs in as a real employee with a real password and a real, freshly verified MFA code. Every access control is satisfied. The session looks legitimate because it is legitimate, just not to the person who is supposed to own it.
This is where behavioral monitoring matters. A legitimate employee logging into their account from their usual device at a usual time is normal. The same credentials being used to access internal files at scale, from an unusual location or device, at an unusual hour, or accessing data outside their normal pattern, is an anomaly that endpoint detection and security monitoring can flag even when the credentials are valid.
-
✓
Hardware-based MFA (FIDO2 keys). A time-based OTP code given over a phone call can be used in real time by an attacker. A hardware key physically tied to a device cannot be handed over a phone call. Figure’s MFA was bypassable by real-time relay. Hardware-based MFA is not. -
✓
Call verification policies. A written policy that IT will never ask for credentials or MFA codes over the phone, communicated to every employee, and tested through simulated vishing attempts, directly disrupts the attack playbook. -
✓
Behavioral anomaly detection on SSO sessions. Even with valid credentials, accessing internal systems outside normal hours, from new devices, or downloading data at unusual volume should trigger immediate alerts. The exfiltration at Figure involved downloading files at scale — detectable behavior if monitoring is in place. -
✓
Least privilege access controls. If the compromised employee only had access to the data their role required, the exfiltration would have been limited to that subset. Data minimization at the access level limits blast radius when credentials are compromised.
The timing was not accidental
ShinyHunters posted Figure’s stolen data on February 13, 2026. Figure announced a secondary public stock offering the same day. The group has a documented pattern of timing data releases to coincide with significant business events: IPOs, funding announcements, product launches. Maximum reputational damage, maximum extortion leverage.
For startups approaching a raise, a launch, or a major customer announcement, this pattern matters. The period of highest business visibility is also the period of highest attacker interest. Attackers research targets. They watch for announcements. They time releases for maximum impact.
Figure refused to pay. The data is now public. The company is managing the fallout alongside a new stock offering while offering credit monitoring to nearly a million customers.
Technical controls stop technical attacks. Vishing bypasses technical controls entirely and targets your people directly.
Osto helps teams build the layered defenses that reduce the blast radius when social engineering works: endpoint protection that detects anomalous behavior from compromised sessions, access controls that limit what any one credential can reach, and security documentation and policy frameworks that include tested call verification procedures for your team.
If your MFA can be read out over a phone call, your MFA can be bypassed. That is not a hypothetical. It is what happened to Figure and over 100 other organizations in a single campaign.