Aura: The Identity Protection Company That Couldn't Protect Its Own Data 903K Records Stolen by ShinyHunters

• .What: ShinyHunters vished an Aura employee, compromised their corporate account via Okta SSO, and exfiltrated 12GB of data from a legacy marketing platform inherited from Circle Media Labs (acquired December 2021).
• .Who: Aura (identity protection company, Boston, MA; founded 2017; CEO Hari Ravichandran; 1,212 employees; $1.6B valuation). 903,100 records exposed per Have I Been Pwned. Fewer than 20,000 active customers and fewer than 15,000 former customers had addresses and phone numbers exposed. Approximately 865,000 records were pre-acquisition Circle Media Labs marketing contacts.
• .How: Targeted voice phishing (vishing) attack on an Aura employee - the same social engineering playbook ShinyHunters has deployed against TELUS Digital, SoundCloud, Panera Bread, Betterment, and over 100 other organizations since September 2025. The attacker impersonated IT staff, directed the employee to a credential harvesting page mimicking Aura's SSO portal, captured Okta credentials and MFA codes in real time, and registered their own MFA device. Unauthorized access lasted approximately one hour.
• .Data: Names, email addresses, home addresses, phone numbers, IP addresses, customer service comments. NO Social Security numbers, passwords, or financial information.
• .Actor: ShinyHunters (UNC6240 per Google Threat Intelligence Group). Vishing operations attributed to UNC6661. Part of the SLSH (Scattered Lapsus$ Hunters) ecosystem.
• .Impact: 12GB published on Tor-based leak site after ransom refusal. 90% of exposed emails already present in prior breaches per HIBP. Class action investigations launched by Shamis & Gentile and Migliaccio & Rathod. State breach notifications filed in 12 states.

On March 11, 2026, ShinyHunters listed Aura on its Tor-based data extortion site, claiming to have exfiltrated approximately 12 gigabytes of data containing personally identifiable information and corporate records.

The group stated it had compromised an Aura employee through a voice phishing attack and gained access to internal systems via Okta single sign-on credentials. ShinyHunters claimed the total dataset exceeded 2 million records.

On March 17, 2026, Aura published a statement confirming the breach. The company stated that a "highly targeted phishing attack" had compromised a single employee's corporate account.

Aura's security team detected the unauthorized access and revoked it within approximately one hour.

On March 19, Aura updated its disclosure with additional findings, confirming that no database supporting its core identity theft protection application had been accessed and that the exposed data originated from marketing lists belonging to a company Aura acquired in 2021.

That company was Circle Media Labs, a parental controls and screen time management provider Aura acquired in December 2021. The acquisition was announced alongside Aura's $200 million Series F funding round at a $2.5 billion valuation.

Circle's marketing database - containing names, email addresses, and in some cases home addresses, phone numbers, and customer service records - remained on a legacy platform five years after acquisition. This platform was the target of the breach.

Troy Hunt's Have I Been Pwned (HIBP) independently verified the breach on March 18, 2026, cataloging 903,100 unique email addresses.

HIBP's analysis identified the compromised data types as names, email addresses, IP addresses, phone numbers, physical addresses, and customer service comments.

Hunt noted that 90% of the email addresses in the leaked dataset were already present in HIBP from prior, unrelated breaches.

ShinyHunters stated that Aura "failed to reach an agreement with them despite all the chances and offers" made - language confirming that ransom negotiations took place and collapsed.

After Aura refused to pay, ShinyHunters published the full 12GB dataset on their leak site, making it freely available.

ShinyHunters is a financially motivated cybercriminal collective that has operated since 2020 and is responsible for breaches at AT&T (110 million records via Snowflake), Ticketmaster (560 million records), Santander (30 million records), and dozens of other organizations.

Google Threat Intelligence Group (GTIG) tracks ShinyHunters' extortion activity under the designation UNC6240 and the associated vishing intrusion activity under UNC6661 and UNC6671. The group operates within the broader SLSH (Scattered Lapsus$ Hunters) ecosystem - a porous alliance of cybercriminal youth clusters including elements of Scattered Spider, LAPSUS$, and The Com.

Since September 2025, ShinyHunters has conducted a sustained campaign targeting organizations through voice phishing attacks aimed at Okta, Microsoft Entra, and Google SSO accounts.

The attack chain is consistent across victims: UNC6661 operators impersonate IT helpdesk staff via phone calls, claim the company is updating MFA settings, direct employees to victim-branded credential harvesting pages (typically registered via NICENIC using patterns like sso.com or internal.com), capture SSO credentials and MFA codes in real time while maintaining the call, and register their own MFA device to establish persistent access independent of the victim.

Once authenticated, the attackers access the organization's SSO dashboard - which functions as a centralized hub listing all SaaS applications the user has permission to access - and target Salesforce, Microsoft 365, SharePoint, Slack, Zendesk, and other connected platforms for data exfiltration.

In March 2026 alone, ShinyHunters claimed responsibility for breaches at TELUS Digital (1 petabyte stolen, $65 million ransom demanded), Infinite Campus (11 million student records threatened), Aura, and Woflow (326GB exposing Walmart, DoorDash, Uber, Deliveroo).

A concurrent Crunchyroll breach (6.8 million users) occurred via a compromised TELUS agent workstation during the same period but has disputed attribution - assessed as likely SLSH ecosystem-affiliated rather than core ShinyHunters.

The group's campaign has targeted over 100 organizations across education, financial services, healthcare, technology, retail, and energy sectors.

• .Full names - linked to email addresses and in some cases home addresses, enabling identity correlation and targeted phishing.
• .Email addresses - 903,100 unique addresses. While 90% were already present in prior breaches, the association with an identity protection service adds context that threat actors can exploit in social engineering campaigns.
• .Home addresses - exposed for fewer than 20,000 active customers and fewer than 15,000 former customers. Physical addresses enable mail-based fraud, SIM-swap supporting documentation, and targeted social engineering.
• .Phone numbers - exposed for the same subset. Phone numbers are the prerequisite for SIM-swap attacks and vishing campaigns - the same attack vector that breached Aura in the first place.
• .IP addresses - reveal approximate geographic location and ISP. Combined with home addresses, they enable precise geolocation of individuals.
• .Customer service comments - the contents of support interactions between customers and Aura's service team. These may contain descriptions of prior identity theft incidents, account issues, personal circumstances, and other sensitive context that customers shared in confidence with their identity protection provider.

The customer service comments represent the most damaging data category. Individuals who contacted Aura's support team likely did so because they had experienced or feared identity theft.

The contents of those conversations - now published on the dark web - may describe the specific incidents that drove them to purchase identity protection in the first place.

1. Legacy platform retention. Aura acquired Circle Media Labs in December 2021 but retained Circle's marketing database on a legacy platform for five years without migrating, decommissioning, or adequately securing it.

The marketing platform was not integrated into Aura's core identity protection infrastructure and appears to have been maintained separately with lower security controls.

2. Vishing susceptibility. The employee who was targeted fell for a voice phishing call - the same attack technique ShinyHunters has successfully deployed against employees at TELUS Digital, SoundCloud, Panera Bread, Wynn Resorts, and dozens of other organizations.

The attack exploits human psychology, not technical vulnerabilities, but organizations with robust security awareness training, out-of-band verification procedures, and phishing-resistant MFA can mitigate the risk.

3. Insufficient MFA controls. ShinyHunters' vishing playbook succeeds because it intercepts time-based one-time passwords (TOTP) and push-based MFA in real time.

The attacker captures the employee's credentials and MFA response simultaneously, then registers their own MFA device. This attack chain is defeated by FIDO2/WebAuthn hardware security keys, which bind authentication to the legitimate domain and cannot be phished.

Aura has not disclosed whether the compromised employee's account was protected by FIDO2 or by a phishable MFA method.

4. Excessive SSO access scope. The compromised employee's Okta SSO credentials provided access to the legacy Circle Media Labs marketing platform.

An identity protection company should apply the principle of least privilege rigorously - particularly to legacy systems containing customer data. Access to a marketing database acquired five years ago should not be reachable through a single employee's SSO session.

5. One-hour detection, five-year retention. Aura detected and revoked the unauthorized access within approximately one hour - a strong incident response time. But the data that was exfiltrated in that hour had been sitting on a legacy platform for five years.

Fast detection cannot compensate for data retention failures. The 865,000 Circle marketing records should have been migrated, minimized, or deleted years ago under any reasonable data governance policy.

Threat Actor:

• .ShinyHunters (UNC6240 per Google TIG)
• .Part of SLSH ecosystem

Attack Vector:

• .Voice phishing (vishing) targeting Aura employee
• .Captured Okta SSO credentials and MFA codes via live phishing panel
• .Registered attacker's own MFA device for persistent access
• .Unauthorized access lasted approximately one hour

Exfiltration:

• .12 GB from legacy Circle Media Labs marketing platform
• .903,100 records (per HIBP verification)

• .CCPA/CPRA (California) - The breach exposed personal information (names, email addresses, home addresses, phone numbers, IP addresses) of California residents. CCPA provides a private right of action for data breaches resulting from failure to maintain reasonable security. Statutory damages: $100-$750 per consumer per incident, or actual damages if greater. CPRA allows the California Privacy Protection Agency to impose administrative fines of up to $7,500 per intentional violation.

• .FTC Act Section 5 - Aura markets itself as an identity protection service, making explicit promises about data security, dark web monitoring, and breach protection. A breach of customer data at a company whose entire value proposition is preventing breaches creates heightened exposure under the FTC's unfair or deceptive practices authority. The FTC has historically pursued enforcement actions against companies whose security practices contradict their marketing claims - Wyndham Hotels ($20M), LifeLock ($100M), and Equifax ($575M) are precedents. Aura's marketing language ("peace of mind," "proactive protection") sets a standard the company failed to meet.

• .State breach notification laws - Aura has filed notifications in 12 states: California, Iowa, Maine, Massachusetts, Montana, New Hampshire, Oregon, Rhode Island, South Carolina, Texas, Vermont, and Washington. Most states require notification within 30-60 days of discovery. The exposure of home addresses and phone numbers triggers notification requirements in all 50 states for affected residents.

• .GDPR (EU/EEA) - If any of the 903,100 records belong to EU/EEA residents - plausible given Circle Media Labs' consumer reach - Article 5(1)(f) (integrity and confidentiality), Article 32 (security of processing), Article 33 (72-hour supervisory authority notification), and Article 34 (individual notification for high-risk breaches) apply. Fines up to EUR 20 million or 4% of annual global turnover (estimated at 4% of $216M standalone ARR = approximately $8.6M+).

• .UK GDPR / DPA 2018 - If UK residents are among the affected individuals, the ICO has enforcement authority with fines up to GBP 17.5 million or 4% of global turnover.

• .Gramm-Leach-Bliley Act - Aura provides financial identity monitoring services including credit monitoring, bank account alerts, and investment account monitoring. If classified as a financial institution under GLBA, the Safeguards Rule requires implementation of comprehensive information security programs. Failure to protect customer data could trigger enforcement by the FTC or state financial regulators.

1. Deploy FIDO2/WebAuthn hardware security keys for all employees with SSO access. ShinyHunters' vishing playbook defeats TOTP and push-based MFA by intercepting codes in real time.

FIDO2 keys bind authentication to the legitimate domain origin - they cannot be phished, proxied, or replayed. This single control would have prevented the initial compromise.

2. Establish mandatory out-of-band verification for all IT-initiated credential and MFA changes.

Any call from "IT" requesting credential entry or MFA updates should require verification through a separate, pre-established channel - such as a callback to a known IT number, a Slack confirmation from a verified IT account, or a manager approval workflow.

ShinyHunters' vishing succeeds because employees have no procedure to verify that the caller is legitimate.

3. Migrate, minimize, or delete legacy data within 12 months of acquisition. The Circle Media Labs marketing database sat on a legacy platform for five years after acquisition.

Data minimization is not optional - it is required under GDPR Article 5(1)(e), recommended under CCPA/CPRA, and fundamental to reducing breach impact.

The 865,000 pre-acquisition marketing contacts should have been assessed for business necessity, migrated to Aura's secured infrastructure, or deleted.

4. Apply least-privilege access controls to all legacy and acquired systems. The compromised employee's SSO credentials should not have provided access to a five-year-old marketing database from an acquired company.

Legacy systems should be isolated in separate security zones with explicit, role-based access controls that require additional authentication factors beyond the primary SSO session.

5. Conduct acquisition security assessments and integration reviews. Every M&A transaction should include a comprehensive security assessment of the acquired company's data assets, platforms, and access controls - not only at the time of acquisition but annually thereafter.

Circle Media Labs' marketing platform should have been subject to an integration review that identified the unprotected data and either secured or decommissioned it.

BleepingComputer, Help Net Security, SecurityWeek, Bitdefender, CyberInsider, Gizmodo, Tom's Guide, Cybernews, Have I Been Pwned, Aura Official Statement (March 17 2026), Aura Security Incident Update (March 19 2026), CyberScoop, Google Threat Intelligence Group (Mandiant), Silent Push, Resecurity, ReliaQuest, Picus Security, Flare, ClaimDepot, Shamis & Gentile, Migliaccio & Rathod, PRNewswire (Circle Media Labs acquisition), VentureBeat (Aura Series F), Aura Investor Relations (Series G-II, Qoria acquisition)