Aura.com Breach

Aura said its March 2026 security incident was the result of a targeted phone-phishing attack against an employee, not the separate campaign involving misconfigured Salesforce Experience Cloud sites.

In its latest public statement, the company said an unauthorized third party gained access to an employee account for about an hour. Aura said the incident did not involve the database supporting its identity theft protection application, and that no Social Security numbers, financial account information, credit data, or passwords were exposed.

According to the company, the accessed information came from marketing lists, almost all of it tied to a company Aura acquired in 2021. Aura said roughly 900,000 records were involved, with the vast majority consisting of names and email addresses. The company also said that contact information including name, email address, home address, and phone number was accessed for fewer than 20,000 active Aura customers and fewer than 15,000 former customers.

That explanation differs from the broader ShinyHunters activity reported earlier in March, which centered on public-facing Salesforce Experience Cloud instances and the abuse of guest-user access. Aura said its incident is not related to that campaign and should not be described as part of the Salesforce Aura attack wave.

Even under Aura’s account, the exposure still creates meaningful phishing and vishing risk because attackers can use names, email addresses, phone numbers, and home addresses to make scams appear more credible. Aura said it is notifying affected individuals and maintains there is no ongoing risk to customer data.