Identity-Protection Firm Aura Breached by Voice Phishing, Exposing 900,000 Records

Aura, a company whose core business is protecting people from identity theft, disclosed that hackers stole roughly 900,000 records from its marketing database after tricking an employee with a targeted phone call, a breach now claimed by the criminal group ShinyHunters.

The attack exploited a technique known as voice phishing, or vishing, in which an attacker impersonates a trusted party over the phone to manipulate an employee into surrendering account credentials. "Aura is aware of an incident where one of our employees was the victim of a targeted phone phishing attack," the company said in a statement. "We identified that an unauthorized third party gained access to that employee's account for approximately one hour. Upon discovery, Aura immediately terminated access to the account and activated its incident response plan, engaged external cybersecurity and legal experts, and notified law enforcement."

The exposed records came from a marketing database belonging to a company Aura acquired in 2021. The data included full names, email addresses, home addresses, phone numbers, IP addresses, and customer service notes. Aura said Social Security numbers, account passwords, financial information, credit records, and its core identity-theft protection database records were not accessed, and that customer user accounts remained secure.

The breach's reach across Aura's active user base was comparatively narrow: fewer than 20,000 current customers and fewer than 15,000 former customers had contact information exposed. The much larger count of roughly 900,000 reflects the broader marketing list, which included contacts beyond Aura's subscriber base.

Have I Been Pwned, the breach-notification service, added the leaked data to its database and logged a count of just over 901,000 records, slightly higher than Aura's figure. Aura said its own count was accurate. Have I Been Pwned also found that approximately 90 percent of the exposed email addresses were already present in its database from previous, unrelated breaches.

ShinyHunters, a hacking group previously linked to major data thefts at AT&T and Salesforce, claimed responsibility and said it extracted 12 gigabytes of files containing customer personal information and corporate data. The group advertised the stolen files on its extortion site before Aura made any public disclosure, stating that Aura had "failed to reach an agreement with them despite all the chances and offers." ShinyHunters' claims have not been independently verified, and Aura has not publicly addressed the alleged extortion contact.

The incident fits a pattern that has accelerated sharply in recent years. Help-desk impersonation and voice-based social engineering have become the leading entry point for identity-based breaches, enabling attackers to bypass technical defenses entirely by targeting human judgment. A breach at DoorDash was similarly traced to social engineering by a third-party vendor.

The fact that a single vishing call, sustained for roughly one hour, was sufficient to extract nearly a million records from a data-protection firm underscores how exposed legacy marketing databases can be, particularly those accumulated through acquisitions and potentially subject to looser access controls than core product systems.

Aura said it is conducting an internal review and will send personalized notifications to affected individuals. The company has not disclosed the specific date the breach occurred, when it was detected, or which law enforcement agencies were notified.