What happened

ShinyHunters — a well-documented criminal group responsible for multiple large-scale breaches — targeted Figure Technology Solutions, a financial services company. Rather than attempting to breach technical defences, they contacted an employee directly and manipulated them into providing access to internal systems.

The stolen dataset of approximately 967,000 user accounts was posted online. Records included names, dates of birth, email addresses, postal addresses, and phone numbers — sufficient data to enable targeted identity theft and phishing campaigns against nearly a million people.

What is social engineering?

Social engineering is manipulation — convincing a person to do something through deception rather than technical means. It exploits trust, authority, urgency, or helpfulness. Common scenarios include: someone posing as IT support asking for credentials, an email appearing to be from a manager requesting urgent action, a phone call from a fake vendor needing system access.

The lesson: Any unexpected request for access, credentials, or action — however convincing — must be verified through a separate, known channel. Call the person back on a number you already have. Do not use contact details provided in the suspicious message itself.

What you should do

  • Never provide account access, passwords, or sensitive data in response to an unsolicited request
  • Verify any unusual request by calling back on a known number — not the number provided in the message
  • If you feel pressured to act quickly, treat it as a warning sign — urgency is a manipulation technique
  • Report suspicious contact attempts to IT immediately