Aura confirms data breach exposing nearly 900,000 records after voice phishing attack

Aura, a U.S.-based consumer digital safety company that provides identity theft protection and fraud monitoring services, has confirmed that an unauthorized party accessed nearly 900,000 customer records following a targeted voice phishing attack on an employee.

The intrusion occurred after the employee was deceived in a phone-based social engineering attack, allowing the attacker to gain access to the employee’s account for approximately one hour. Aura detected the breach and revoked access, then initiated its incident response process, engaged external cybersecurity and legal experts, and notified law enforcement authorities.

The company stated that the majority of the exposed records consisted of names and email addresses stored in a marketing tool inherited through a 2021 acquisition. In addition, the data of fewer than 20,000 current customers and fewer than 15,000 former customers was accessed. In those cases, the exposed information may have included names, email addresses, home addresses, and phone numbers.

Aura emphasized that highly sensitive data, including Social Security numbers, account passwords, and financial information, was not compromised.

The breach disclosure follows claims by the threat group ShinyHunters, which listed Aura on its data extortion site and asserted that it had stolen 12GB of data containing personally identifiable information and corporate material. The group subsequently released the data after stating that no agreement had been reached with the company.

An analysis of the leaked dataset by the breach notification service Have I Been Pwned identified more than 900,000 affected accounts, including additional data points such as IP addresses and customer service comments. The service also found that approximately 90% of the exposed email addresses had previously appeared in earlier data breaches.

Aura stated that its internal figures remain accurate, noting that the larger dataset includes legacy data from the acquired company, while only about 35,000 records relate directly to its customer base.

The company is continuing an in-depth internal review of the incident and has begun notifying affected individuals. Aura indicated that personalized notifications will be issued to those impacted and that support measures will be provided.