SecureFact – Cyber Security News – Week of February 23, 2026

PayPal disclosed a data breach affecting approximately 100 customers through a software error in its PayPal Working Capital (PPWC) loan application.
The breach exposed sensitive personal information including names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth.
The exposure occurred from July 1, 2025, to December 13, 2025, lasting nearly six months before discovery on December 12, 2025.
PayPal immediately reversed the code change responsible for the incident, blocking further unauthorized access within one day of discovery.
The company detected unauthorized transactions on a small number of customer accounts and issued refunds to affected parties.
PayPal is offering two years of free three-bureau credit monitoring and identity restoration services through Equifax, requiring enrollment by June 30, 2026.
All impacted account passwords were reset, and users will be prompted to create new credentials upon next login.
PayPal also advised customers to monitor credit reports and account activity for suspicious transactions.

The French Ministry of Finance disclosed a cybersecurity incident affecting 1.2 million user accounts in the FICOBA (national bank account registry).
Threat actors gained access using stolen credentials from a civil servant with access to the interministerial information sharing platform in late January 2026.
The compromised database contained sensitive banking and personal information including bank account details (RIBs/IBANs), account holder identity information, physical addresses, and taxpayer identification numbers for some accounts.
The Ministry took immediate action to restrict the threat actor’s access upon detection, but approximately 1.2 million account records were already exposed to potential exfiltration.
FICOBA operations were disrupted, and restoration efforts are underway with enhanced security measures.
The French data protection authority (CNIL) was notified, and affected customers will receive individual notifications over the following days.
Banking institutions were informed and advised to raise customer awareness about increased vigilance against scams and phishing attempts.

Figure Technology Solutions, a blockchain-native financial technology company specializing in lending and securities trading, suffered a data breach affecting 967,200 accounts.
The ShinyHunters extortion group claimed responsibility and leaked 2.5GB of data allegedly stolen from thousands of loan applicants.
The breach resulted from a social engineering attack where an employee was tricked into providing access credentials.
Exposed data included over 900,000 unique email addresses along with names, phone numbers, physical addresses, and dates of birth dating back to January 2026.
Figure has unlocked over $22 billion in home equity with over 250 partners including banks, credit unions, fintechs, and home improvement companies.
The company confirmed the incident and attributed it to the social engineering attack.
Have I Been Pwned revealed the extent of the incident after the company initially did not publicly disclose it.
ShinyHunters has claimed similar breaches at multiple high-profile organizations including Canada Goose, Panera Bread, Betterment, SoundCloud, and PornHub, often through voice phishing campaigns targeting SSO accounts.

An unsecured database exposed billions of records, including roughly 3 billion email addresses and passwords plus about 2.7 billion records with Social Security numbers. A
fter accounting for duplicates, the unique entries likely total tens to hundreds of millions, with around a quarter of sampled SSNs verified as correct.
The affected data types include email addresses, passwords, and Social Security numbers.
Much of the data stems from separate breaches over a decade, including a major 2024 leak of 2.7 billion records and older 2015-era entries identified via password trends like One Direction and Taylor Swift references.
Cybersecurity firm UpGuard discovered the database and analyzed its contents.
UpGuard contacted a sample of affected individuals to validate the data’s accuracy and potential risks.
No specific mitigation steps, such as credit monitoring, system shutdowns, or law enforcement involvement, are mentioned for any affected organizations, as the database appears to be a compilation from past breaches rather than a single new incident.
The exposure highlights ongoing threats from unexploited old data like unchanging SSNs.

The breach affected 444,538 unique borrowers’ personal and financial data, including 629,597 loan applications, 607,822 residential addresses, and copies of 229,236 Australian driver’s licences.
A preview dataset shared by the hacker includes $3.7 billion in loan applications across 149,349 records, with 5,010 driver’s licences, 5,955 residential histories, and 5,955 employment records.
Additional compromised data covers 797 broker organisations, with ABNs, banking details, staff directories, full customer portfolios, and over 8,000 password hashes for broker employees.
The hacker accessed an unsecured MongoDB Atlas cluster containing data from over 90 downstream lenders. youX confirmed unauthorised access by a third party and is investigating the incident.
The company notified the Office of the Australian Information Commissioner (OAIC) and plans regulatory notifications to affected individuals.
youX updated its disclosure statement on February 17 and continues to engage stakeholders.
Viking Asset Aggregation, a partner, acknowledged the incident and is working with youX to support enquiries.
No mentions of credit monitoring, system shutdowns, or law enforcement involvement. The hacker threatens to release more data in stages.

ShinyHunters claimed to have stolen 1.7 million corporate records from CarGurus, including personally identifiable information (PII) such as names, email addresses, phone numbers, physical addresses, and IP addresses.
The data also encompassed finance pre-qualification application details, user account ID mappings, dealer account information, subscription data, and auto finance application outcomes across more than 12 million email addresses in multiple files.
The breach occurred on February 13, 2026, via vishing attacks targeting single sign-on codes from Okta, Microsoft, and Google services.
CarGurus did not immediately respond to inquiries and has not publicly confirmed the breach or detailed any mitigation steps like credit monitoring, system shutdowns, or law enforcement involvement.
ShinyHunters issued a final warning to CarGurus to contact them by February 20, 2026, threatening to leak the data publicly along with further digital disruptions.
The group posted CarGurus on its leak site as part of a broader spree targeting multiple firms. Following failed extortion, the data was published online. No specific organizational responses or remedial actions are reported for CarGurus itself.