The Figure Technology Breach and the Rise of Real-Time Session Hijacking

How a Voice Phishing Call Led to Nearly One Million Records Exposed

Figure Technology confirmed a data breach affecting close to one million customer records in February 2026. An employee received a call from someone claiming to be IT support, a technique known as voice phishing and was directed to a phishing page designed to mimic their company's legitimate Okta login portal. This is an adversary-in-the-middle (AitM) attack: the page acted as a real-time proxy, forwarding the employee's credentials and MFA code to the genuine portal simultaneously. With an authenticated session obtained via the proxied login, the attacker was then able to register their own device as a trusted authenticator - effectively becoming a legitimate user with persistent access to Figure's systems. The cybercrime group ShinyHunters subsequently published over 2.5 gigabytes of stolen data after Figure declined to pay the ransom demand.

Why Real-Time Adversary-in-the-Middle (AitM) Attacks Defeat Traditional MFA

What this incident demonstrates is that MFA is not sufficient against an attacker who can intercept a session in real time. The employee is not at fault. There was simply no mechanism available to verify whether the caller was who they claimed to be. This is the gap that persists even in organisations with otherwise strong authentication infrastructure: the human interaction around the system is left without any protection.

Closing the Human Verification Gap with UnDoubt

This is the problem UnDoubt is designed to address. By anchoring verification to an enrolled passkey credential linked to the user's organisational identity, both sides of an interaction can confirm who they are without relying on caller recognition or shared knowledge. In the Figure breach, there were two points of failure: the initial call, where the employee had no way to verify the caller was genuine, and the device registration that followed, where a sensitive action was completed without any additional confirmation beyond already-compromised credentials. UnDoubt addresses both. A verification challenge can be issued at the moment a risky request is received and policy can be configured to require cryptographic confirmation before sensitive actions are permitted to proceed. A challenge is bound to a specific request and requires a signed response from the enrolled credential. It cannot be replayed, forwarded or socially engineered out of someone.

Human-to-Human Verification as the Missing Control Layer

The attacker in the Figure breach was convincing enough to bypass human judgement. A cryptographic confirmation tied to an enrolled identity cannot be bypassed in the same way since there is no script an attacker can follow to produce a valid signed response from someone else's credential. This is what we mean by human to human verification: both parties can prove who they are, in the moment, independent of the channel being used.

Sources:

1. TechCrunch. (2026, February 13). Fintech lending giant Figure confirms data breach. https://techcrunch.com/2026/02/13/fintech-lending-giant-figure-confirms-data-breach/
2. State of Surveillance. (2026). Figure Technology breach: ShinyHunters leak 2.5GB following Okta-targeted attack. https://stateofsurveillance.org/news/figure-technology-breach-shinyhunters-okta-2026/