A single phone call just spilled 900,000 records — proof that your old marketing database can haunt you years after the ink dries on an acquisition.
Aura confirmed that a voice-phishing (vishing) attack tricked an employee into handing over access to a marketing platform the company inherited through a 2021 acquisition — not its core account systems.
The exposed data included full names, email addresses, home addresses, and phone numbers. About 20,000 current customers and 15,000 former customers were affected; the remainder were broader marketing contacts.
The ShinyHunters group listed Aura on its extortion site, claiming to hold 12 GB of customer and internal corporate files. Aura has confirmed the breach itself but has not verified every allegation the group made, including separate claims tied to single sign-on access.
Social Security numbers, passwords, and financial data were not involved, according to the company. That limits the immediate risk of direct account takeover, but the stolen contact details can still fuel targeted phishing, impersonation, and fraud campaigns.
"The stolen contact data could still be used in follow-up phishing, impersonation or fraud campaigns."
Have I Been Pwned has already indexed the leaked addresses; breach trackers note that most had appeared in earlier dumps. Aura has brought in outside cybersecurity experts, notified law enforcement, and plans to contact affected individuals directly.
The incident underlines a persistent acquisition risk: inherited tools and datasets can widen a company's exposure years after the deal closes.
Source: Bitdefender