Aura Data Breach Exposes 900,000 Records After Phishing Attack

Aura, a company that sells identity theft protection and fraud monitoring to consumers, has confirmed a data breach affecting nearly 900,000 records. The incident began with a voice phishing attack on an employee and ended with stolen data listed for sale by ShinyHunters. The Aura data breach is now indexed in the Have I Been Pwned database.

The timing is notable. Aura's core product is protecting people from exactly the kind of exposure this breach caused.

How the Attack Unfolded

The entry point was a vishing attack, short for voice phishing. An attacker called an Aura employee, impersonated a trusted party, and convinced them to hand over credentials. That access led the attacker into a marketing tool Aura had inherited from a company it acquired in 2021.

Most of the 900,000 exposed records came from that marketing tool. They were not Aura's core customer database. But the breach did not stop there.

Contact details for fewer than 20,000 active customers and fewer than 15,000 former customers were also accessed. For those individuals, the exposed data included full names, email addresses, home addresses, and phone numbers.

Aura confirmed that Social Security numbers, passwords, and financial information were not compromised.

What ShinyHunters Claims

ShinyHunters took credit for the breach on their data leak site, claiming to hold 12GB of files containing personal data and internal corporate material. The group also alleged they exploited an Okta single sign-on vulnerability to gain access. Aura has not confirmed that specific claim.

Have I Been Pwned independently analyzed the leaked data and added it to its breach database. Its count came in at just over 901,000 affected accounts. The platform also noted that the exposed records included IP addresses and customer service comments, fields Aura did not mention in its own disclosure. Around 90% of the email addresses in the dataset were already present in the HIBP database from prior breaches.

Aura says it will send personalized notifications to all affected individuals.

ShinyHunters and the Salesforce Aura Campaign

This breach connects to a wider operation. ShinyHunters has been running a sustained data theft campaign since September 2025, targeting organizations using Salesforce Experience Cloud. The group exploited misconfigured guest user profiles to query CRM data without authentication, working through the /s/sfsites/aura endpoint.

When an open-source admin tool called AuraInspector was released in January 2026 to help administrators find misconfigured instances, ShinyHunters modified the code and used it for mass reconnaissance across Salesforce environments. The campaign eventually claimed between 300 and 400 victim organizations, with roughly 100 described as high-profile.

Aura's breach is part of that campaign. The threat group named Aura on their leak site on March 12 after the company did not meet their demands. The stolen data was publicly released two days later.

Why This Incident Matters Beyond the Numbers

The scale of this breach is significant, but the context makes it more so. Aura markets itself as a safety net against the exact harms its customers now face. Having names, addresses, and phone numbers exposed creates real phishing and social engineering risk for those affected, even without financial data in the mix.

Breaches at identity protection firms carry a different weight. These companies hold sensitive records and promise to stand between their users and fraud. When attackers get in, it is not just a data loss event. It puts the credibility of the service itself into question.

The human factor is also worth noting. A sophisticated vishing call defeated whatever technical controls were in place. Social engineering continues to be one of the most reliable ways into an organization, regardless of how advanced its security stack is.

What Affected Individuals Should Do

Anyone notified by Aura should treat the exposed data as active risk. Names, email addresses, home addresses, and phone numbers together give attackers enough to craft convincing follow-up attacks.

Watch for unexpected calls, messages, or emails that reference personal details. Be skeptical of anyone claiming to represent Aura, a partner company, or a government agency asking for further information. Enabling multi-factor authentication across key accounts is a practical step worth taking now.

Aura says it will contact everyone affected directly. Those who are unsure can check whether their email appeared in the breach by searching the Have I Been Pwned database.