TL;DR: Aura, the company that charges you monthly to protect your identity, just had an employee fall for a voice phishing call. The attacker had access for about an hour and grabbed 900,000 records. ShinyHunters is now selling the data.
An identity protection company needs identity protection
On March 18, 2026, Aura disclosed that a "targeted voice phishing attack" compromised an employee's credentials. The attacker exploited an Okta single sign-on vulnerability and accessed a marketing database tied to a company Aura acquired back in 2021.
The damage: roughly 900,000 records. Aura says the unauthorized access lasted "approximately one hour" before they revoked it.
According to Have I Been Pwned, which tracks breaches, 903,100 accounts were affected. The service also noted that about 90% of the leaked records were already in their database from previous breaches. So if you're an Aura customer, your data might have been floating around anyway.
What ShinyHunters grabbed
The threat group ShinyHunters (the same crew behind recent attacks on Figure Lending and TELUS Digital) claimed responsibility. They're advertising "900,000+ Aura records containing personally identifiable information and internal corporate material" on their data extortion site.
Aura downplays the severity. According to the company:
- Most records were just names and email addresses from marketing lists
- Fewer than 20,000 active customers had names, emails, home addresses, and phone numbers exposed
- Fewer than 15,000 former customers had similar contact info accessed
- No Social Security numbers, passwords, or financial data compromised
But Have I Been Pwned tells a different story. Their analysis shows the breach also included IP addresses, phone numbers, home addresses, and customer service comments. That last one is interesting: customer service notes can contain all sorts of details people share when troubleshooting account issues.
The company that sells trust couldn't protect its own data
Aura's entire business model is convincing you that they can protect your identity better than you can. Their marketing promises "intelligent safety for your entire family." They charge around $15/month for the privilege.
And then an employee fell for a phone call.
Voice phishing (also called vishing) is nothing new. Someone calls pretending to be IT support, creates urgency, and tricks the target into revealing credentials or approving an authentication request. It's social engineering 101.
The fact that a security company's employee was susceptible to this suggests either inadequate security training or insufficient authentication controls. Probably both. If Aura had hardware security keys required for Okta logins, a phone call wouldn't have been enough.
Aura's response
The company says they "revoked access as soon as [they] discovered the intrusion, activated [their] incident response plan, brought in outside cybersecurity and legal specialists, and notified law enforcement."
They acknowledged "falling short of our standards" but claimed they don't expect the incident to "significantly increase customer risk."
Translation: we messed up, but please keep paying us.
If you're an Aura customer
Visit haveibeenpwned.com and enter your email to see if you're in this breach (or any others). It's free.
Attackers now have your name, email, and possibly phone number. Expect convincing phishing emails that mention Aura directly.
You're paying Aura to monitor for breaches. They just had one. Free alternatives like Credit Karma and your bank's fraud alerts do much of the same work.
This is free at all three bureaus and is more effective than monitoring services. Equifax, Experian, TransUnion: freeze all three.
Security companies aren't immune
This isn't the first time ShinyHunters has hit a security-adjacent company. Their February 2026 campaign used voice phishing to target organizations using Okta SSO, grabbing data from over 400 companies in the process.
The lesson: paying for security products doesn't make you secure. The company you trust with your data is only as strong as its weakest employee on their worst day. Aura's employee had a bad day. You're now in a database somewhere.
Credit freezes remain the single most effective identity theft prevention. They're free. They work. And they don't require trusting a company that just failed its own security test.
References
- Help Net Security - 900,000 contact records exposed in Aura data breach
- CyberInsider - Identity protection firm Aura suffers data breach exposing 900,000 records
- SecurityWeek - Security Firm Aura Discloses Data Breach Impacting 900,000 Records
- Tom's Guide - Identity protection company Aura suffers massive 900,000 person data breach
Published: March 22, 2026