ANDRI.BLOG
Privacy
7 min read

Your Loan Application Is Now on the Dark Web

A wave of social engineering attacks is hitting fintech companies hard. Here's why they have so much of your data and how to limit your exposure.

In the past few weeks, the ShinyHunters hacking group has been on a tear. Figure Technology — a fintech lending platform — just confirmed that nearly a million accounts were compromised. Names, emails, phone numbers, physical addresses, dates of birth. All stolen through a single social engineering attack where an employee was tricked into handing over access.

And Figure isn't alone. ShinyHunters has hit Betterment (1.4 million accounts), Panera Bread (5.1 million), SoundCloud (298 million), and several others — some of them through the same technique: voice phishing aimed at single sign-on credentials.

What caught my attention isn't the hacking method. Social engineering has been around forever. It's the type of data being leaked, especially from fintech companies. Because when a lending platform gets breached, the data is far more detailed than your average email-and-password dump.

Fintech Companies Know Everything About You

Think about what you hand over when you apply for a loan, open an investment account, or use a "buy now, pay later" service. It's not just your email:

  • Full legal name and date of birth
  • Home address (current and sometimes previous)
  • Phone number
  • National ID or tax number (in Iceland that's your kennitala, in Germany your Steuer-ID)
  • Income details and employment information
  • Bank account numbers
  • Credit history references

This is identity theft fuel. With this data, an attacker doesn't need to guess — they can impersonate you convincingly to banks, phone companies, and government services.

Regular breaches are bad. Fintech breaches are a different category entirely.

The Social Engineering Problem

Here's the uncomfortable part: these companies aren't being hacked through some exotic zero-day vulnerability. ShinyHunters reportedly called employees on the phone, pretended to be IT support, and convinced them to hand over their SSO login credentials. That's it.

No malware. No code exploits. Just a convincing phone call.

This tells you something important about how your data is protected. A company can have the best firewalls and encryption in the world, but if one employee falls for a phone scam, the attackers walk right in. And with large organizations employing thousands of people, someone will eventually pick up that call and comply.

Under GDPR, companies are required to implement "appropriate technical and organisational measures" to protect personal data. Whether a single vishing call counts as a failure of organisational measures is exactly the kind of question that data protection authorities are now investigating. Figure hasn't disclosed whether European users were affected, but if they were, the fines could be significant.

What Actually Happens After Your Data Leaks

When your data from a fintech breach hits the dark web, it doesn't just sit there. Here's the typical chain:

  1. Credential stuffing — Your email and password combo gets tested against hundreds of other services. If you reused that password anywhere, those accounts are now compromised too.
  2. Targeted phishing — Attackers know you're a Figure customer, so they send you a convincing email about "verifying your loan details." They already have your address and date of birth to make it look legitimate.
  3. Identity fraud — With enough personal data, attackers apply for credit cards, loans, or phone contracts in your name. This can take months to untangle.
  4. Data enrichment — Your leaked fintech data gets combined with data from other breaches. The more pieces of your identity floating around, the more complete the picture becomes.

How to Limit Your Exposure

You can't control whether a fintech company gets breached. But you can control how much damage it does.

Before You Sign Up

Ask yourself: does this company actually need all this data? Many fintech apps request permissions and personal details far beyond what's required for their service. A budgeting app doesn't need your national ID number. A payment service doesn't need your employment history.

In the EU, GDPR's data minimisation principle (Article 5) says companies should only collect data that's strictly necessary. If a service is asking for more than makes sense, that's a red flag.

Use separate email addresses. I wrote about email aliases before — this is exactly where they pay off. When Figure gets breached and your alias figure@yourdomain.com shows up in the dump, you know exactly where it came from and can disable that alias immediately.

Check if they're regulated. In the EU, look for companies authorised by national financial authorities (BaFin in Germany, FME in Iceland, AMF in France). Regulated companies face stricter data handling requirements. Non-regulated fintech startups operating from outside Europe? Your data might have fewer protections than you think.

With Your Existing Accounts

Enable the strongest authentication available. Not just SMS two-factor — use a hardware key or authenticator app. If the company only offers SMS verification, that's worth noting as a limitation.

Freeze your credit. In many European countries, you can place alerts or restrictions on your credit file. In Iceland, contact Creditinfo. In Germany, SCHUFA offers a fraud alert service. This makes it harder for anyone to open accounts in your name even if they have your personal details.

Remove old accounts. That fintech app you tried for two weeks in 2023? Your data is still sitting on their servers. Log in, download anything you need, then delete your account. Under GDPR Article 17, you have the right to erasure — use it. If the app doesn't offer account deletion, email their data protection officer directly.

Monitor for breaches. Have I Been Pwned is free and will notify you when your email appears in a breach. Set up notifications for every email address you use with financial services.

After a Breach

Don't wait for the company to notify you. Breach notifications are often delayed by weeks or months. Figure's breach happened in January 2026 but only became public in February. Check Have I Been Pwned regularly.

Change passwords immediately — not just for the breached service, but for any account where you used the same password. This is the number one reason to use a password manager with unique passwords everywhere.

Watch your bank statements. Set up transaction alerts for any amount. Fraudulent charges often start small — a €1 or €2 test transaction — before the bigger hits come.

File a report with your data protection authority if you're in the EU and weren't notified within the required 72-hour window. This creates accountability and might prompt an investigation.

The Bigger Picture

Every few months, I see a new fintech startup promising to "revolutionise" banking, lending, or investing. The pitch is always smooth. The app is always slick. The data collection is always extensive.

What's rarely mentioned is the security posture. How do they train employees against social engineering? How is data segmented internally? What's their incident response plan? These aren't questions on the landing page, but they're the ones that matter when — not if — a breach happens.

I'm not saying avoid fintech entirely. Some of these services are genuinely useful. But treat every sign-up as a calculated risk. The less data you hand over, and the more compartmentalised your digital identity, the smaller the blast radius when things go wrong.

Because based on the last few weeks, things are going wrong a lot.

▸ TAGS
#privacy#data-breach#fintech#social-engineering#gdpr
▸ STAY IN THE LOOP

Weekly. No spam. No fluff.

← BACK TO ALL ARTICLES