Figure Technology Solutions thought their identity management stack was solid. A single employee's phone call changed that. Here is the complete technical breakdown of the Figure breach — and the 4 defensive drills that stop this attack regardless of your budget.
Table of Contents
Worried your help desk is a vishing target?
Book Free Assessment →Note: This article is current as of June 2026. All dates, records counts, and source citations reflect verified reporting from TechCrunch, BleepingComputer, and Have I Been Pwned. Sources are linked throughout.
In February 2026, Figure Technology Solutions — a blockchain-based fintech company — confirmed a data breach that exposed 967,200 customer records. The vector was not a zero-day exploit. It was not a sophisticated malware payload. It was a phone call.
The ShinyHunters threat group called a Figure employee, walked them through a fake IT security process, obtained their Okta single sign-on (SSO) credentials, and coached them — in real time on the phone — to approve a legitimate Okta MFA push notification. Within minutes, the attacker had a valid SSO session. Within days, they had exfiltrated 1.7 GB of customer PII: names, dates of birth, addresses, phone numbers, and email addresses.
The breach was not discovered until January 28, 2026 — though the attack began in January — and was not publicly confirmed until February 25, 2026. ShinyHunters leaked the data online on February 13, 2026, 12 days before public notification.
The lesson is not "Okta is broken." Okta's software was not exploited. The lesson is: your SSO is a single point of failure, and a motivated attacker with a phone script can bypass it in minutes — no special tooling required.
This article covers the full technical timeline, the control gaps that made this possible, what live coaching catches that automated tools miss, and the specific, budget-realistic steps any company can take to close the gap.
967,200 records · 1 phone call · 0 software vulnerabilities exploited · ~$0 attacker cost to execute
Is your help desk protected against vishing?
A 20-minute call with our team identifies your highest-risk employees and what a realistic defense looks like.
Get Free Assessment →The Figure breach did not unfold overnight. Here is the verified timeline based on public reporting from TechCrunch, BleepingComputer, and Have I Been Pwned.
| Date | Event | Source |
|---|---|---|
| January 2026 | ShinyHunters begins targeting Okta SSO customers across 100+ organizations, including Figure Technology Solutions. | Google Mandiant, January 2026 |
| January 28, 2026 | Figure identifies unauthorized database queries. Intrusion detected — attackers already inside. | Figure breach notification |
| February 13, 2026 | ShinyHunters posts 2.5 GB of stolen Figure data on a dark web leak site. Extortion demand issued. | Cybernews, SecurityWeek |
| February 18, 2026 | Have I Been Pwned adds Figure breach: 967,200 unique email addresses confirmed. Data exposure back to January 2026. | Have I Been Pwned |
| February 25, 2026 | Figure publicly confirms breach. Notification letters issued to affected individuals. | ClassAction.org, TechCrunch |
| Post-breach | Class action lawsuits filed. HIBP registrations spike. Figure's partner ecosystem notified of exposure. | Lynch Carpenter LLP, Woods Law |
The detection-to-disclosure gap — January 28 to February 25, roughly a month — is a key figure. Even assuming Figure discovered the intrusion quickly, the breach notification delay is significant. State breach notification laws (most: 30–72 hour notification requirements) put Figure in a gray zone that is now the subject of regulatory scrutiny.
The attack chain in the Figure breach followed a well-documented pattern that Google Threat Intelligence described in detail in January 2026. There were four stages:
ShinyHunters identified Figure as an Okta customer and began researching employees — likely through LinkedIn, public job postings, and data from previous breaches. They built profiles of likely targets: employees with access to customer databases, financial systems, or SSO administration.
The attacker called the target, claiming to be from IT support or a security team. Okta's own threat intelligence report published January 22, 2026 described how phishing kits now include detailed scripts for real-time phone-based social engineering. The script typically includes:
The Okta prompt that arrived on the employee's phone was legitimate — it came from Okta's real infrastructure. The attacker had already entered the employee's email and password. When the MFA prompt appeared, the attacker stayed on the phone and coached the employee: "Approve it — I need to complete the verification."
Okta's Threat Intelligence team documented this exact technique: phishing kits with caller scripts that walk targets through MFA approval. The key insight is that time-based OTP (TOTP) codes, push notifications, and SMS-based MFA are all susceptible to real-time relay attacks. The attacker is not guessing codes — they are getting the target to approve a legitimate session in real time.
Once the session was approved, the attacker had a valid Okta SSO token. That token granted access to every SaaS application connected through Figure's Okta environment — including the customer database. The attackers ran queries, exported records, and exfiltrated approximately 1.7 GB of data before their session was detected.
Key point: The MFA was not "bypassed" in the technical sense — it worked exactly as designed. The attacker did not exploit a vulnerability. They exploited the employee's trust and willingness to cooperate. This is why it's called a social engineering attack.
Figure's breach was not a result of an unusually sophisticated attack. It was the result of four control gaps that are common across organizations of all sizes. Each one is addressable.
There was no secondary verification requirement before credential resets or MFA re-enrollment. The attacker called, got the credentials, and had the target approve the MFA push — all in one call. A simple policy — "we will never reset credentials in a single inbound call; we will always call you back at a number on file" — breaks this attack entirely. This is not a technical control. It is a process and training control. It costs nothing to implement.
Okta supports MFA push request limits and automatic lockout after repeated denials or approvals from the same location. None of these thresholds were set or enforced. If Figure had configured Okta to require a code or lock the account after, say, 5 push approvals in 10 minutes, the attack would have stalled. This is a 10-minute configuration task — included in standard Okta licenses.
A valid Okta SSO session gave the attacker access to every connected application. Figure had not implemented Okta's application-level conditional access policies, session duration limits, or IP-based restrictions. A compromise of one session became a compromise of everything. Network-level session scoping and application-specific access policies significantly reduce blast radius.
The unauthorized queries began January 28, 2026 — but Figure did not detect them until weeks later (the breach was not confirmed until February 25). Okta's dashboard includes session anomaly detection: impossible travel (login from two geographically distant locations within minutes), unusual hours, or access from new devices. None of these alerts were acted on. A 30-minute Okta configuration audit and a single alerting rule would have caught this attack within minutes of the first anomalous session.
Related Compliance Resources
47-control checklist with Okta session monitoring guidance
SOC 2 + DORA requirements for fintech and lending
Okta SSO hardening for SaaS and developer environments
The following is an anonymized account of a client engagement that closely mirrors the Figure breach attack chain. No identifying information is included. This is a composite case from multiple client sessions.
Anonymized Case Study
A mid-size law firm (200+ attorneys) engaged SecurEveryone for help-desk security training. During a live vishing role-play drill, a mid-level IT administrator received a call from someone claiming to be the firm's "Okta security team" — requesting a credential reset to "resolve a ticket." The administrator, trained two weeks prior in the call-back protocol, said: "I'll need to verify your identity and call you back at the number on file for your department." The caller hung up immediately.
No credentials were shared. No MFA prompt was triggered. The attack was stopped in under 90 seconds.
The difference between that outcome and Figure's outcome was not technology. It was training. The administrator knew what the right response felt like — because they had practiced it in a live drill with realistic pressure. No automated phishing simulation replicates the psychological weight of a real caller's voice, urgency, and authority.
That firm had an Okta SSO environment. They had MFA. They had the same technology stack Figure had. The difference was one hour of live coaching that taught employees to distrust single-call credential requests and to use the call-back protocol — a process that costs zero dollars to implement and requires no software purchases.
Want your team to run this scenario before an attacker does?
Our live vishing drills catch the instinct before a real call does. 45 minutes, your team, realistic scenarios.
Automated phishing simulations are useful — but they test email, not phone. The Figure breach was a phone attack. Here's what live coaching covers that automated tools cannot replicate:
Our coach calls a targeted employee (with management permission and prior notice that a security drill will occur during a specific window). The script is a realistic Okta support call — same language patterns, same pressure tactics, same authority escalation used by ShinyHunters. The employee doesn't know if it's a drill or real until debrief. After the call, we review what happened, what worked, what to do differently. Duration: 15 minutes per employee. Outcomes: call-back protocol internalization, recognition of pressure escalation.
We show employees exactly what an MFA push fatigue attack looks and feels like — the exact sequence of Okta prompts, the caller's exact language, and the psychological escalation. We then practice the response: "I'm not approving that. How do I reach the real security team?" Duration: 10 minutes. Outcomes: employees recognize the attack pattern and know the termination script.
Help-desk staff (or anyone with elevated access) run through the complete credential reset flow — including the call-back to a verified number. We script the exact language for the "I need to verify" message and practice what to do when a caller resists the verification process. Duration: 20 minutes. Outcomes: verified call-back procedure, resistance to single-call resets becomes reflexive.
We walk through Okta's session monitoring console with the IT team, configure the alert rules (impossible travel, unusual hours, new device), and set up the notification path so alerts reach a human — not a queue that goes unopened. Duration: 15 minutes. Outcomes: Okta anomaly detection active, alert routing confirmed, first-responder identified.
Total time investment: 60 minutes. Result: Your team has muscle memory for the exact attack that cost Figure 967,200 records and multiple class action lawsuits.
After reading the Figure breach timeline, the common SMB response is: "We don't have an Okta environment, or we don't have a dedicated security team, or we couldn't afford what Figure presumably had." This response is wrong — and it's dangerous.
Figure's breach did not fail because they lacked a security tool. It failed because four basic controls were absent. Every one of those controls is available to organizations of any size:
| Control | What's Required | Approximate Cost |
|---|---|---|
| Call-back verification protocol | Process documentation + 1-hour training session | Free (process change) |
| Okta session anomaly alerts | Standard Okta license + 30-min configuration | Included in standard Okta |
| MFA push fatigue thresholds | Okta admin console setting (10-min task) | Included in standard Okta |
| Vishing role-play live coaching | 1-hour live session with realistic call scenarios | Starts at $500/session |
| Phishing-resistant MFA (FIDO2/passkeys) | FIDO2 hardware keys or platform authenticators | $20–$50/key or free (platform passkeys) |
The most expensive control on this list — vishing role-play coaching at $500/session — costs less than one hour of a junior developer's time. It is not a Fortune 500 tool. It is a realistic first line of defense for any company using SSO.
Figure had Okta. They had MFA. They had the technical stack. They did not have the human firewall training to stop a phone call. That's the gap.
Free Resource
Want a playbook your help desk can actually use?
The Vishing Defense Playbook covers the call-screening script, the callback verification protocol, and exactly how to train employees on phone-based social engineering in under 30 minutes. 11-page PDF, free download.
Get the Free Vishing Defense Playbook →See where your biggest gap is — before an attacker finds it.
Our free 20-minute security assessment walks through your current SSO configuration, help-desk procedures, and MFA setup. No sales pressure. Just a clear picture of where you stand.
Book Free Assessment →Don't let your company be the next Figure headline.
A 20-minute call identifies your highest-risk employees, your Okta configuration gaps, and exactly what a realistic defense looks like for your size and industry.