The Company You Paid to Protect Your Identity Just Got Hacked by a Phone Call

Aura bills itself as an all in one digital safety platform. For roughly $12 a month, subscribers get identity theft monitoring, credit alerts, a VPN, antivirus software, and a password manager. The company pulled in $385 million in revenue last year and was valued at $1.6 billion. Its entire pitch is that it stands between you and the people trying to steal your data.

On March 18, 2026, Aura disclosed that someone had done exactly that to them.

One Phone Call Was All It Took

The breach began with a targeted voice phishing attack, sometimes called vishing. An attacker called an Aura employee, impersonated IT staff, and convinced them to hand over their single sign on credentials and a multi factor authentication code. With those two pieces of information, the attacker walked into Aura's internal systems through what ShinyHunters described as an Okta SSO attack.

The intruder had access for approximately one hour before Aura detected the unauthorized session and revoked it. In that window, about 900,000 records were exfiltrated from a marketing tool tied to a company Aura acquired in 2021.

What Was Exposed

The stolen data breaks down into three groups:

• The bulk of the 900,000 records: names and email addresses from a legacy marketing database
• Fewer than 20,000 active customers: names, emails, home addresses, phone numbers, and IP addresses
• Fewer than 15,000 former customers: the same categories as active customers

Aura says Social Security numbers, passwords, and financial information were not compromised. Have I Been Pwned confirmed the incident, reporting 903,100 affected accounts. Roughly 90% of those email addresses had already appeared in previous breaches.

ShinyHunters: The Group Behind the Attack

ShinyHunters is no amateur operation. The group has stolen over 400 million records from more than 60 companies, including Ticketmaster, AT&T, Snowflake customers, and Santander Bank. In 2026 alone, they have hit Panera Bread (5 million records), CarGurus (12.5 million records), Match Group (10 million records), Harvard University, and Dutch telecom Odido (6.2 million records).

Their playbook is consistent. According to Google's Mandiant threat intelligence team, ShinyHunters operators call employees pretending to be IT support, direct them to fake login pages that mimic the company's real SSO portal, and capture both the password and the MFA code in real time. The same method was used to breach 12.5 million CarGurus accounts and drain 1.4 million Betterment investment accounts earlier this year. Once inside, they register their own device for MFA so they no longer need the victim.

If the company refuses to pay, the data gets leaked on dark web forums or sold to other criminals. In Aura's case, ShinyHunters advertised the stolen records publicly.

The Irony Problem

The uncomfortable truth is that Aura's core product is supposed to prevent exactly this kind of damage. The company monitors the dark web for its customers' exposed data, alerts them when their information appears in breaches, and helps them recover from identity theft. Now Aura itself is the source of a breach that put customer contact information into criminal hands.

This does not mean Aura's product is useless. The breach came through a human vulnerability, not a product flaw. But it does highlight a fundamental problem: no amount of monitoring software can undo the fact that your data is already out there once it has been stolen. Prevention beats detection every time.

Why Voice Phishing Is So Effective

Email phishing gets most of the attention, but voice phishing is surging because it exploits something email filters cannot catch: real time human trust. When someone calls you claiming to be from your company's IT department and references internal tools by name, the instinct to comply is strong. There is no suspicious link to hover over, no attachment to scan, and no time to think. The conversation happens live, and the attacker controls the pace.

ShinyHunters has refined this into a repeatable process. Mandiant documented that when initial calls fail, the group escalates to SMS threats, harassment, and even DDoS attacks against the target company to create enough chaos that employees start complying.

What You Should Do

If you are or were an Aura customer, take these steps:

• Check Have I Been Pwned to see if your email was in the breach
• Watch for phishing emails that reference Aura, identity protection, or subscription renewals. Attackers now know you are a security conscious user, which makes you a more valuable target for social engineering
• Never share MFA codes over the phone, even if the caller claims to be from your company's IT department. Legitimate IT staff will never ask for them
• Use hardware security keys like YubiKey for your most important accounts. They are immune to phishing because they verify the actual website domain, not just a code

The broader lesson is that identity protection services are a safety net, not a wall. They can alert you after your data appears in a breach, but they cannot stop the breach from happening. Reducing the amount of personal information you share online, using unique email aliases for different services, and treating every unexpected phone call with skepticism will do more to protect you than any monitoring subscription.