Identity protection company Aura suffers massive 900,000 person data breach: customer information exposed

Aura, an identity protection company, released a statement this week confirming a data breach that exposed nearly 900,000 customer records. Those records contained names and email addresses.

According to the statement, the breach was caused by a voice-based phishing attack that gave an unauthorized third-party access to an employee account for "approximately one hour." That exposed the sensitive data of 20,000 current customers and 15,000 former customers.

The company has terminated access to that account, and says that the malicious party was able to access the nearly 900,000 records via a marketing list from a company Aura acquired in 2021. However, Aura asserted that while the exposed information from the list did contain contact information from current or former Aura customers, no user accounts were accessed.

"No sensitive information provided by customers to Aura for monitoring purposes — such as Social Security numbers, financial information, credit records, or passwords — was compromised," Aura said.

For the unaware, Aura is an identity protection company that sells identity theft protection, credit and fraud monitoring and online tools meant to protect against phishing.

We consider Aura one of the best identity theft protection services available. If this breach makes you nervous, there are other options, like Norton's LifeLock worth considering.

Hacker group claims responsibility

The hacker group ShinyHunters claimed responsibility for the attack, according to BleepingComputer. The group said they stole 12GB of files containing personally identifiable information from customers, as well as Aura corporate data.

Allegedly, ShinyHunters failed to ransom the data and subsequently released the information. "The company failed to reach an agreement with us despite all the chances and offers we made. They don't care."

Have I Been Pwned added the Aura breach to its database and noted that the breach included IP addresses and customer service comments. In an X post, HIBP noted that "90% were already in" their database as having been previously exposed in other incidents.

Aura is in the midst of an internal review with external cybersecurity experts and the company has also notified law enforcement.

If you are an Aura customer, you should receive personalized notifications soon.

How to stay safe after a data breach

Aura insists there is no "ongoing risk to customer data" and that is identity theft services are still safe to use. The company says it will support impacted customers, but it's not clear what they will offer.

Usually, companies exposed by data breaches offer complimentary identity monitoring services, though there are other steps you can take.

You can claim up to one free credit report a year, so that might be something to consider. Likewise, you can also place a free fraud alert on your credit file by contacting one of the major credit agencies like Equifax, Experian or TransUnion. These alerts usually last for 90 days.

As always, you'll want to be on high alert for phishing attacks and social engineering attacks, especially ones that urge you to "act now." Avoid clicking on any links, QR codes, or attachments from unknown senders.

Now might also be a good time to consider password haul by making strong, complex passwords for all your accounts. You should consider using one best password managers to do so.

Let us know if you receive a notification letter from Aura.

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.

More from Tom's Guide

• More than 220 million iPhones under attack from new DarkSword exploit — how to stay safe
• What is AgeGO, and is it safe to use?
• Online age verification in the USA – a complete timeline