-
Aura, the global provider of digital security and identity management solutions, announced that it had experienced a data breach that exposed users’ information.
-
The data breach came through a fraudulent phone call made to one of Aura’s employees to gain access.
-
Experts warn that criminals use even basic contact data for scams, especially by combining it with older leaks.
A recent cyberattack on Aura, a protection solutions provider, may have compromised the personal details of approximately 900,000 individuals.
This event highlights how no company, including one dedicated to providing services to enhance users’ online safety, can prevent cyber criminals from attacking them.
Protection against identity theft or digital security is part of the services that Aura provides; therefore, a breach on their system reflects a significant event, drawing significant media attention.
People have come to expect cyber-protection providers to maintain a step ahead of cyber criminals and subsequent attacks, yet this incident shows that cyberattacks are often all about manipulating users versus attacking the underlying systems, or more specifically, targeting the users who successfully operate those systems.
A Simple Phone Call Opened the Door
According to the full report published by the researchers, the breach started with a voice phishing attack, also called “vishing.”
In this kind of scam, attackers call employees and pretend to be trusted contacts. Their goal is simple: get access without raising suspicion. In Aura’s case, the hackers tricked and convinced one employee to provide access to an internal system.
That single moment was enough. Once inside, attackers reached a database tied to marketing operations. The exposed records contain names, emails, phone numbers, and home addresses. This type of data may not seem as valuable as financial data, but criminals can still exploit it in various ways.
Aura explained that the affected records came from a third-party marketing platform linked to a company it acquired back in 2021, which means it’s possible that some of the victims will not be active customers with Aura today.
The company also confirmed that no highly confidential or sensitive data, such as passwords, social security numbers, or bank accounts, were leaked during this incident. However, some cybersecurity professionals believe contact data alone can be an asset for scammers.
Hackers Claim They Took More Data
A notorious hacking group, ShinyHunters, has claimed responsibility for the breach – it disclosed that it stole around 12 GB worth of data from Aura. ShinyHunters published this data on the internet after its negotiating talks with the company failed.
Many of the exposed emails in this recent leak had appeared in previous breaches, showing there is a higher incidence of having a mixed dataset because of the combination of old and new leaks from the hackers.
ShinyHunters has a long history of such attacks. The same group previously claimed responsibility for the Panera Bread data breach that exposed 14 million customer records, demonstrating their consistent targeting of companies across industries and their willingness to dump stolen data when ransom demands aren’t met.
Such combinations make it easier for criminals to create a detailed profile of an individual and ultimately perpetrate a more convincing scam through email or calls. Aura has not fully confirmed all of the hackers’ claims but says it is still investigating the situation with outside experts.
A Wake-Up Call for Businesses and Users
Aura has stated that it is cooperating with law enforcement it will inform all those impacted by the incident. The company is also reviewing its internal processes, especially how employees handle sensitive requests.
But the bigger lesson here is simple. Many cyberattacks today do not start with advanced hacking tools. They start with human error.
A single phone call. A moment of trust. That is all it takes.
For everyday users, the advice remains familiar but important:
- Be careful with unexpected calls or emails
- Do not share sensitive details without verifying the source
- Develop strong passwords that are not easily identifiable as belonging to you
Criminals can easily use basic information against you in various types of fraud/phishing. Many times, fraudsters will use a small amount of information about you to create a bond and earn your trust so that later they may ask for larger amounts of information.
This breach shows how quickly things can spiral. In one instance, a company employee was the target, but within a short time, the attackers compromised hundreds of thousands of records.
