Aura Data Breach Exposes 900,000 Marketing Contacts via Voice‑Phishing Attack
What Happened — Aura, a consumer identity‑protection SaaS, confirmed that a voice‑phishing (vishing) attack on an employee led to unauthorized access and exfiltration of nearly 900,000 marketing‑tool records. The leak includes full names, email addresses, home addresses, phone numbers, IP addresses and service‑center comments for roughly 35 k Aura customers and 865 k other contacts.
Why It Matters for TPRM —
- Large‑scale PII exposure creates phishing and credential‑stuffing risk for downstream partners.
- The breach originated from a third‑party marketing platform inherited through an acquisition, highlighting supply‑chain data‑handling gaps.
- Threat‑actor ShinyHunters publicly released the data, increasing reputational and regulatory pressure on Aura and any organizations that share its services.
Who Is Affected — Consumer‑facing identity‑protection SaaS providers, marketing‑tool vendors, and any enterprises that integrate Aura’s identity‑verification APIs.
Recommended Actions — Review contracts and data‑flow diagrams for Aura‑related services, verify that third‑party marketing data is segmented, and confirm that MFA and phishing‑resistance controls are enforced for all Aura accounts.
Technical Notes — Attack vector: voice‑phishing (vishing) that compromised employee credentials. No known CVEs; data types exposed: names, emails, physical addresses, phone numbers, IP addresses, and service‑center comments. Financial data, SSNs, and passwords were not compromised. Source: BleepingComputer