Skip to content
Tech News
← Back to articles

When attackers already have the keys, MFA is just another door to open

2026-04-09 | original
read original get YubiKey 5 NFC → more articles
Why This Matters

The Figure breach highlights a critical vulnerability in relying solely on MFA for security, especially when attackers already possess valid credentials. It underscores the importance of architectural security measures and the need for organizations to rethink their defense strategies against credential reuse and sophisticated attacks. For consumers and the industry, this emphasizes that multi-factor authentication alone is insufficient once adversaries have obtained valid login details.

Key Takeaways

The Figure breach exposed 967,200 email records without a single exploit. Understanding what that enables — and why your MFA cannot contain it — is an architectural problem, not a user education problem.

In February 2026, TechRepublic reported that Figure, a financial services company, exposed nearly 967,200 email records in a newly disclosed data breach. No vulnerability was chained. No zero-day was burned. The records were accessible, and now they are in adversary hands.

Coverage of breaches like this tends to stop at the count. That is the wrong place to stop. The number of exposed records is not the event — it is the starting inventory for the event that follows.

To understand the actual risk, you have to follow the attack chain that a credential exposure like this enables, step by step, and ask honestly whether the authentication controls in your environment can interrupt it at any point.

Most cannot. Here is why.

What Adversaries Do With 967,000 Email Records

Exposed email addresses are not static data. They are operational inputs. Within hours of a record set like this becoming available, adversaries are running it through several parallel workflows simultaneously.

The first is credential stuffing. Figure customers and employees almost certainly reused passwords across services. Adversaries combine the exposed addresses with breach databases from prior incidents — LinkedIn, Dropbox, RockYou2024 — and test the resulting pairs against enterprise portals, VPN gateways, Microsoft 365, Okta, and identity providers at scale. Automation handles the volume.

Success rates on credential stuffing campaigns against fresh email lists routinely run at two to three percent. On 967,000 records, that is 19,000 to 29,000 valid credential pairs.

The second workflow is targeted phishing. AI-assisted tooling can now generate personalized phishing campaigns from an email list in minutes. The messages reference the organization by name, impersonate internal communications, and are visually indistinguishable from legitimate correspondence.

... continue reading

Explore topics: figure credential stuffing figure breach multifactor authentication adversary
Related:
The best apps to make new friends right now
The ‘Deadpool & Wolverine’ Moment Designed for You to Gawk at Hugh Jackman’s Chiseled Body Is Now an Action Figure
Lego Is Bringing Bionicle Back, But Not in the Way You’d Want
A Taxonomy of Interiors
Dammit, Jim, He’s a Doctor *And* an Action Figure!

© 2026 GoKawiil

About | Editorial Policy | Contact