Identity-Protection Firm Aura Says Hackers Accessed 900,000 Records After Phone Scam on Employee

Aura, a U.S. company that sells identity-theft protection, says hackers accessed nearly 900,000 records, mostly marketing contact data, after tricking an employee in a targeted phone scam.

The company says the exposed information primarily includes names and email addresses, with a smaller subset containing mailing addresses and phone numbers. Aura says Social Security numbers, passwords, and financial information were not compromised.

The hacking group ShinyHunters has claimed responsibility, saying it stole about 12 gigabytes, roughly 0.4 cubic feet, of files and later posted them online after extortion talks fell apart. The breach has also been added to the public leak-checking service Have I Been Pwned, allowing people to see whether their email appears in the dataset.

What Aura says was exposed, and what wasn’t

Aura is drawing a bright line around what it says attackers did not get: no SSNs, no passwords, no banking or payment details. That matters because it lowers the odds of immediate account takeovers or direct financial fraud tied to this incident.

But the data that was accessed, contact information, still has real value to criminals. A clean list of names and emails can supercharge phishing campaigns, especially messages that impersonate security alerts, invoices, or “verify your account” notices. Add a phone number or home address and scammers can move beyond email into texts, calls, and even mailers that feel uncomfortably personal.

Nearly 900,000 records, including data tied to a 2021 acquisition

Aura says the bulk of the exposed records, about 865,000, came from a marketing database inherited from a company it acquired in 2021. Aura also says contact information for fewer than 20,000 current customers and fewer than 15,000 former customers may have been accessible.

That customer-related slice is typically the most sensitive, because it can include fuller profiles, like addresses and phone numbers, that make scams easier to tailor. A convincing fraud attempt doesn’t need your Social Security number if it can sound like it already knows you.

There’s also a small discrepancy in the totals: some breach-tracking and alert services report a little more than 901,000 entries. Aura says its count is accurate, and differences like this can come from duplicates or how records are tallied. Either way, the practical reality is the same: the dataset is circulating.

ShinyHunters claims it dumped 12GB after extortion talks failed

ShinyHunters, a well-known name in cybercrime circles, says it exfiltrated roughly 12GB of files and then published them when negotiations didn’t produce a payout. That pattern, steal, threaten, demand money, then leak, is now standard operating procedure for many groups.

Once data is posted publicly, it’s no longer just one group’s leverage. It becomes raw material for a wider ecosystem of scammers, including lower-skill operators who specialize in mass phishing and phone fraud.

External analysis of the leaked material has suggested additional fields may be present, including IP addresses and customer-service notes. Those details can give scammers a script, references to a prior support interaction, a city, or an internet provider, that makes a cold call sound legitimate.

The breach started with “vishing”, a phishing attack by phone

Aura says the intrusion began with “vishing,” short for voice phishing: an attacker impersonated a legitimate party over the phone and manipulated an employee into granting access. It’s the same social-engineering playbook used in countless corporate break-ins, urgency, authority, and just enough inside knowledge to sound real.

Aura says the unauthorized access lasted about an hour before it was cut off. An hour may sound brief, but it can be plenty of time to export a marketing database, especially in modern CRM and marketing platforms built to move data quickly.

The incident also highlights a familiar weak spot: older marketing systems and acquisition-era databases that keep running because they’re useful, even if security controls and access permissions haven’t been tightened to today’s standards.

Have I Been Pwned added the leak, here’s why that matters

Have I Been Pwned, a widely used breach-notification site run by security researcher Troy Hunt, has ingested the leaked data. That means people can check whether their email address appears in the Aura dataset without waiting for a company notice.

One wrinkle: reports indicate roughly 90% of the exposed email addresses were already known from earlier breaches. That doesn’t make this leak harmless. Criminals profit by combining old data with new details, like a newly linked phone number, address, or support note, to make scams more believable and more effective.

For consumers, the immediate risk is targeted social engineering: unexpected calls, texts, or emails that use personal details to pressure you into clicking a link, sharing a code, or installing remote-access software. For Aura, and companies like it, the reputational stakes are high. When a brand sells trust and protection, attackers know its customer lists can be especially valuable for impersonation schemes.