How Social Engineering Outsmarted SSO and MFA at Figure Technology Solutions
A single phone call can sometimes do what a thousand lines of malicious code cannot. The data breach at Figure Technology Solutions is a striking example of how cybercriminals, armed with nothing more than a convincing voice and a well-crafted script, can sidestep even the most robust technical defenses. In this case, the ShinyHunters extortion group used vishing—voice phishing—to impersonate IT staff, guiding employees through a series of steps that ultimately handed over both their credentials and multi-factor authentication (MFA) codes. This breach didn’t just compromise a password or two; it unlocked access to a web of interconnected enterprise platforms, exposing nearly a million accounts and 2.5GB of sensitive data (BleepingComputer).
What makes this incident especially noteworthy is not a flaw in the technology itself, but the way attackers exploited human psychology—trust, urgency, and the natural instinct to comply with authority. By leveraging social engineering, the attackers bypassed both Single Sign-On (SSO) and MFA, two pillars of modern cybersecurity. The Figure breach is a wake-up call for organizations relying solely on technical controls, reminding us that the human element remains the most unpredictable variable in any security equation (BleepingComputer).
How Social Engineering Outsmarted SSO and MFA at Figure Technology Solutions
The Attack Vector: Vishing and Impersonation Tactics
The breach at Figure Technology Solutions was orchestrated through a sophisticated social engineering campaign, primarily leveraging voice phishing (vishing) techniques. Attackers, identified as the ShinyHunters extortion group, initiated the compromise by impersonating IT support staff. They contacted employees of Figure and other targeted organizations, presenting themselves as legitimate internal personnel responsible for technical troubleshooting or security updates (BleepingComputer).
The attackers’ strategy relied on psychological manipulation, exploiting trust and urgency. Employees were convinced to navigate to phishing websites that closely mimicked the company’s legitimate login portals. The attackers guided their targets through the process of entering their credentials and, crucially, their multi-factor authentication (MFA) codes. This method bypassed the technical safeguards of SSO and MFA by exploiting the human element, rather than attempting to break the underlying cryptographic protections.
Exploiting Single Sign-On (SSO) for Lateral Movement
Once attackers obtained valid credentials and MFA tokens, they gained access to the victim’s SSO account. SSO is designed to streamline authentication by allowing users to access multiple enterprise applications with a single set of credentials. However, this convenience also means that a compromised SSO account can serve as a master key to a wide range of interconnected systems.
In the case of Figure Technology Solutions, attackers used SSO access to infiltrate a variety of enterprise platforms, including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Zendesk, Dropbox, Adobe, and Atlassian (BleepingComputer). This lateral movement enabled the attackers to exfiltrate sensitive data from multiple sources, amplifying the scale and impact of the breach.
Circumventing Multi-Factor Authentication (MFA) with Real-Time Phishing
A critical aspect of the attack was the real-time interception of MFA codes. Multi-factor authentication is widely regarded as a robust defense against unauthorized access, requiring users to provide a second verification factor—typically a time-sensitive code sent via SMS, app, or hardware token. However, the attackers’ vishing tactics enabled them to bypass this safeguard.
During the phone calls, attackers instructed employees to enter their MFA codes into the phishing site immediately after entering their credentials. The phishing infrastructure was designed to relay these codes in real time to the attackers, who could then use them to complete the authentication process on the legitimate Figure systems. This method, known as “real-time phishing” or “MFA prompt bombing,” effectively neutralized the additional security layer provided by MFA (BleepingComputer).
Data Exfiltration and Impact Scope
The breach resulted in the theft of personal and contact information from nearly 1 million Figure accounts. The attackers reportedly exfiltrated 2.5GB of data, including files related to thousands of loan applicants. The compromised data was subsequently leaked on the ShinyHunters’ dark web site, amplifying the risk of identity theft, fraud, and further cyberattacks against affected individuals (BleepingComputer).
The attackers’ access to SSO-enabled platforms meant that the breach was not limited to a single database or application. Instead, it spanned multiple enterprise systems, each potentially containing sensitive information about customers, partners, and internal operations. This broad access underscores the systemic risk posed by SSO compromise, especially when combined with successful social engineering.
Lessons from the Figure Breach: Human Factors in Security Controls
The Figure Technology Solutions breach highlights the limitations of technical controls when confronted with advanced social engineering. While SSO and MFA are essential components of modern cybersecurity architectures, their effectiveness is contingent on the vigilance and security awareness of end users.
The attackers’ success in bypassing both SSO and MFA was not due to flaws in the technologies themselves, but rather to their ability to manipulate human behavior. This underscores the importance of comprehensive security training, regular phishing simulations, and the implementation of additional safeguards such as:
- Contextual and risk-based authentication: Systems that detect anomalies in login behavior (e.g., unusual locations or devices) and require additional verification before granting access.
- Phishing-resistant MFA: Adoption of hardware security keys or biometric authentication, which are less susceptible to real-time interception.
- Incident response readiness: Rapid detection and containment protocols to limit damage in the event of credential compromise.
The Figure breach serves as a case study in the evolving tactics of cybercriminals and the need for organizations to address both technological and human vulnerabilities in their security strategies. (BleepingComputer)
Final Thoughts
The Figure Technology Solutions breach is a textbook case of how cybercriminals are evolving their tactics to outsmart even the most advanced security measures. While SSO and MFA are essential, their effectiveness is only as strong as the people using them. Attackers are increasingly turning to real-time phishing and social engineering, exploiting the very users these systems are designed to protect (BleepingComputer).
Organizations must go beyond technical controls, investing in ongoing security awareness training, phishing simulations, and adopting phishing-resistant authentication methods like hardware security keys. The Figure breach is a stark reminder: cybersecurity is not just about technology—it’s about people, process, and preparedness.
References
- BleepingComputer. (2024). Data breach at fintech firm Figure affects nearly 1 million accounts. https://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-figure-affects-nearly-1-million-accounts/