Security & Infrastructure Tools
Aura confirms data breach exposing 900,000 marketing contacts
Aura confirms that a voice‑phishing attack exposed nearly 900,000 customer records—names, email addresses, home addresses and phone numbers—from a marketing tool acquired in 2021. The breach involved 20,000 current and 15,000 former customers, with no SSNs or financial data compromised. ShinyHunters claimed to have stolen 12 GB of PII, but Aura has not commented on that claim. The company is conducting an internal review, notifying law enforcement, and will send personalized alerts to affected individuals.
Aura has confirmed that an unauthorized party gained access to nearly 900,000 customer records, exposing names and email addresses of both current and former customers. The breach was caused by a voice phishing attack targeting one of Aura’s employees, which allowed the attacker to retrieve sensitive information from a marketing tool that Aura acquired in 2021. While the data set included full names, email addresses, home addresses, and phone numbers, Aura reports that Social Security Numbers (SSNs), account passwords, and financial details were not compromised.
The incident was publicly disclosed by Aura early this week, with a statement detailing how the breach occurred and what information was exposed. According to the company, the marketing tool used by its acquired partner only contained limited customer data, but when integrated into Aura’s systems it became part of a larger database that ultimately included 35,000 Aura customers. The discrepancy between Aura’s figure of approximately 901,000 affected accounts and the slightly higher number reported by the Have I Been Pwned (HIBP) service—who added the data to its breach database—can be attributed to overlapping records from previous security incidents.
A threat group known as ShinyHunters claimed responsibility for the attack on their data extortion site. They announced that they had stolen 12GB of files containing personally identifiable information (PII) and corporate data, and released a leaked dataset on their platform. The group stated that Aura failed to reach an agreement with them despite multiple offers, highlighting the ongoing challenge of negotiating with malicious actors.
Aura is currently conducting a thorough internal review in partnership with external cybersecurity experts and has notified law enforcement authorities about the breach. In addition, the company plans to send personalized notifications to all affected individuals, informing them of the exposure and offering guidance on how to protect their personal information.
The incident underscores the importance of robust employee training against voice phishing tactics and the need for stringent data handling protocols when integrating third‑party tools. While Aura’s customers may have experienced significant exposure, the company has taken steps to mitigate potential risks and prevent future breaches.