Aura and the irony of protecting identities: 900,000 records exposed after a vishing attack

voice phishingaddressed to an employee allowed an authorized actor to access almost 900,000 records containing names and e-mail addresses, in addition to other limited data from an inherited marketing tool after an acquisition in 2021. You can read Aura's official note here: Aura's statement . BleepingComputer, who has been asking Aura for discrepancies in numbers and scope. Have I Been Pwned (HIBP), which added the leak to its database and noted that, in addition to the basic fields, the files included customer service comments and even IP addresses. HIBP also noted that most of the exposed emails - about 90% - were already on their base for previous incidents, which does not subtract gravity but does partly explain the overlap of addresses. vishing- phone supplanting - may avoid security controls if the employees are not prepared or if the verification procedures are laxity. Secondly, the incorporation of tools and databases from acquired companies can carry old risks if data access and governance controls are not properly cleaned and aligned. Have I Been PwnedAnd wait for Aura's official communication. Although the company claims that no passwords or financial data were displayed, it is prudent to strengthen surveillance: activate multifactor authentication where possible, review unusual activity alerts in accounts associated with the mail that could be leaked and, if appropriate, consider additional measures such as credit freezing or fraud alerts as recommended by the consumer protection authorities. BleepingComputerand annotations to Have I Been Pwned They're good starting points. And if you receive communications that appear to be related to this incident, it confirms its veracity with official sources before providing more data.