A company that sells identity theft protection just lost 900,000 records to hackers. It happened this week to Aura, one of the largest identity protection providers in the United States, and the irony writes itself.
According to Aura’s own disclosure, an employee fell for a targeted phone phishing attack. The attacker gained access to that employee’s account for roughly one hour. Sixty minutes was enough to pull approximately 900,000 records, most of them names and email addresses stored in a marketing tool from a company Aura acquired in 2021.
Aura says fewer than 20,000 active customers and under 15,000 former customers had contact information exposed, including names, emails, home addresses, and phone numbers. No Social Security numbers, passwords, or financial data were part of the breach, according to the company.
The group behind the attack is ShinyHunters, a hacking collective that operates on a simple model: steal data, demand payment, publish if ignored. Aura didn’t pay. ShinyHunters dumped the stolen files, 12GB worth, on their leak site. Have I Been Pwned confirmed the incident and added it to its database.
How did hackers breach an identity protection company?
ShinyHunters didn’t use a sophisticated zero-day exploit. They made a phone call. The technique is called vishing, short for voice phishing. An attacker impersonates a trusted contact, tricks an employee into giving up access, and moves fast once inside. Social engineering is still the most reliable way to get past security systems, and no amount of encryption helps if an employee hands over the keys.
The attack is part of a broader campaign. ShinyHunters has been exploiting misconfigured Salesforce Experience Cloud instances since September 2025, using a modified version of AuraInspector, an open-source auditing tool built by Mandiant. The group claims to have hit between 300 and 400 organizations this way, many of them in the cybersecurity sector.
The leaked records, names, home addresses, phone numbers, IP addresses, are exactly the data that fuels more phishing campaigns. Expect the people in that 12GB file to receive very convincing scam calls in the coming months.
What to do if you’re reconsidering your identity protection
First, check Have I Been Pwned to see if your email was part of the leak. Change any password tied to your Aura account. Watch for phishing attempts that reference your home address or phone number, because that combination is what makes vishing calls convincing.
If you’re looking for an alternative, we’ve compared the best Aura alternatives and competitors in a full guide. For a quick pick, NordProtect is worth a look. Built by Nord Security, the company behind NordVPN, it’s a standalone identity theft protection service for US customers. Plans start at $0.99/month (75% off, 24-month commitment) with dark web monitoring and up to $10,000 in identity theft recovery on the entry tier. The Silver plan at $4.99/month adds credit monitoring via TransUnion, credit freeze assistance, up to $1 million in identity theft recovery, $50,000 in cyber extortion protection, and $10,000 in online fraud coverage. That extortion piece is directly relevant here: ShinyHunters’ entire business is “pay or we publish.”
To be clear: no identity protection service is breach-proof. NordProtect can’t guarantee its own systems will never be compromised, just like Aura couldn’t. We’ve compared the best Aura alternatives and competitors in detail if you want to weigh all your options. What NordProtect can do is monitor whether your data shows up on the dark web, alert you fast, lock your credit, and cover your costs if something goes wrong. Every plan includes a 30-day money-back guarantee. At $0.99/month to start, the financial risk is zero.
