Aura data breach: What happened, what was exposed, and how to protect yourself

Aura disclosed a security incident involving limited customer information. Incidents like this can create uncertainty about what data was involved, who may have been affected, and what the company has confirmed.

This article explains what Aura has stated about the breach, which information was exposed, what data was not affected, and what support options were made available to impacted individuals. It also covers how to monitor accounts for suspicious activity and reduce the risk of identity theft.

What happened in the Aura data breach

In March 2026, Aura (a digital security and identity protection company) disclosed that an unauthorized party had accessed an employee’s corporate account after a targeted phone phishing (vishing) attack. According to Aura, the unauthorized access lasted for approximately one hour before its security team removed the party.

Aura stated in its security incident update that the records accessed were primarily from a sales and marketing database associated with Circle Media Labs, Inc. (“Circle”), which Aura acquired in 2021.

How the breach occurred

According to Aura's published statement, the unauthorized party had used access to the employee's account to view and export contact records stored in a marketing tool associated with Circle.

BleepingComputer reported that the cybercriminal group ShinyHunters claimed responsibility for the breach on its data leak site, stating they had stolen 12GB of files and released them after Aura failed to meet their demands. Aura declined to comment on ShinyHunters' claims.

Note: Around the same time, ShinyHunters was also associated with a separate campaign referred to as the "Salesforce Aura Campaign." That name referred to the Salesforce Aura framework and involved Salesforce Experience Cloud sites with exposed or overly permissive guest-user access, not the Aura company. That campaign should not be confused with the Aura data breach incident.

Learn more: What is a data breach? How to safeguard your information.

Timeline of key events

• Early March 2026: According to Aura, its security team detected and terminated the unauthorized access, activated its incident response plan, engaged external cybersecurity and legal experts, and notified law enforcement.
• March 17, 2026: Aura publicly disclosed the incident, confirming that approximately 900,000 records had been accessed.
• March 18, 2026: Have I Been Pwned (HIBP) added the breach to its database. Around the same time, BleepingComputer reported that ShinyHunters had claimed responsibility on its data leak site.
• March 19, 2026: Aura updated its statement to say that no database supporting the Aura identity theft protection application had been accessed and that no Social Security numbers (SSNs), financial information, credit records, or passwords were compromised.
• March 26, 2026: Aura published a detailed security incident update, providing further context about the incident, the affected data, and its response.

What data was exposed in the Aura breach

While the number of records involved was large, Aura states in its security incident update that the data was limited to contact information, and no sensitive personal or financial data was compromised.

Aura confirmed that fewer than 20,000 active customers were affected. These were individuals who had previously provided information to Circle before later becoming Aura customers. Aura also states that 90% of the leaked email addresses were already present in previous leaks, and that the vast majority of the records had appeared in unrelated breaches, as Troy Hunt of HIBP also found.

Understanding risks after the Aura data breach

While the breach didn't expose SSNs, passwords, or financial information, the exposure of contact information can still create follow-up risks.

Phishing and scam risks to watch for

Criminals can combine exposed contact details (names, email addresses, phone numbers, and home addresses) with information from other breaches or public records to create more targeted scam messages. In some cases, exposed IP addresses may also provide a rough location signal.

One common follow-up risk after contact data exposure is phishing. This can take the form of emails, text messages, or phone calls that appear to come from Aura or another trusted company and ask recipients to verify an account, update payment details, or open a link. Those links often lead to malicious sites designed to steal credentials or install malware.

If scammers use exposed contact details to obtain more sensitive information, that information could later be used in identity theft or account takeover attempts.

How to check if your information was involved

According to Aura's incident update, the company is in the process of directly notifying affected customers. You can also check independently using HIBP, which lets you search for your email address across known breaches. Bear in mind that breached data can surface online long after the original incident, so periodic checks are worthwhile.

What to do if you were affected by the Aura breach

For those notified by Aura that their contact details were included in the breach (or who find their email address listed through an independent breach-checking service), the following steps may help reduce risk.

Please note: This information is for general educational purposes and not financial or legal advice.

Review Aura’s breach notification carefully

Aura’s notification can clarify which details were involved, what support options the company is offering, and how official communications are being handled. That context can help distinguish legitimate updates from phishing messages that impersonate Aura or other trusted companies that ask for passwords, payment details, or other sensitive information.

Monitor your accounts and credit reports

Keeping an eye on bank and credit card statements for unfamiliar transactions and enabling alerts for large purchases or account changes can help flag suspicious activity early. Reviewing credit reports periodically is also worth considering.

Some identity monitoring services can scan for exposed personal information and send alerts when monitored data appears in known breach records. ExpressVPN Identity Defender (eligible U.S. users on the Advanced and Pro plans) includes these types of alerts.

Change passwords and enable two-factor authentication

Even though Aura states that no passwords were compromised, updating passwords for email and other important accounts is a common precaution taken after any data exposure.

Strong, unique passwords combined with a password manager and two‑factor authentication (2FA), where available, can make accounts significantly harder to compromise.

Contact your bank or financial institutions if needed

Anyone who notices unauthorized transactions may want to contact their bank or card issuer promptly. Fraud alerts and credit freezes are also options available in the U.S. for people concerned about identity theft.

Legal options vary by jurisdiction, so people who believe they suffered financial harm may need qualified legal guidance.

FAQ: Common questions about the Aura data breach