Aura, a US-based identity protection company, has confirmed a data breach affecting approximately 900,000 records, primarily involving contact information stored in a marketing system.
The company said the majority of the exposed data relates to names and email addresses collected through a third-party marketing platform linked to a business it acquired in 2021. According to the company’s statement, the breach did not impact its core systems that store more sensitive customer information.
Aura stated that a smaller subset of records included additional personal information. This group involved fewer than 20,000 active customers and fewer than 15,000 former customers. In those cases, exposed data may have included names, email addresses, phone numbers, and home addresses. The company said that Social Security numbers, passwords, and financial data were not accessed.
The breach follows claims by a threat actor offering a dataset containing more than 900,000 Aura-related records. External analysis of the data indicated it included contact details and other information such as IP addresses and customer service notes.
Security researchers linked the incident to a broader campaign targeting systems connected to Salesforce environments. Reports indicate attackers may have exploited misconfigured access controls in publicly exposed services to retrieve data without authentication.
Aura said it is notifying affected individuals where appropriate and guiding customers. The company also stated that it has taken steps to secure the affected systems and prevent similar incidents.
The company provides identity monitoring and fraud protection services, including tools designed to alert users to data exposure. Officials said the investigation into the incident is ongoing, with further analysis focused on determining the full scope of the breach and the systems involved.