my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

An Identity Theft Protection Company Was Just Hacked by a Phone Scammer

John Z Black Mar 22, 2026 Incidents & Breaches #data breach #vishing #social engineering #identity protection #Aura #consumer security

Aura sells credit monitoring and identity theft protection. Their whole pitch is that you pay them, and they keep scammers away from you.

Last week, a scammer called one of their employees. And that was that.

Aura confirmed a data breach affecting roughly 900,000 contacts after an employee fell for a voice phishing attack. No malware, no zero-day. Just a convincing phone call. Exposed data includes names, email addresses, home addresses, and phone numbers.

The irony writes itself. But there’s something more useful here than dunking on the security company that got hacked.

The “Only Marketing Data” Defense

Aura’s response leans on one point: only about 35,000 of those 900,000 were actual current customers. The rest came from a marketing list the company bought in 2021. They’d like you to think of this as a stale third-party list breach, not a customer vault breach.

That framing deserves some pushback. If you’re one of the 35,000, the distinction probably doesn’t feel as meaningful as Aura would like. And those 865,000 people from the marketing list are real people who never chose to do business with Aura – they just got swept up anyway.

The good news: no Social Security numbers, no financial data. Names and addresses are bad, but not worst-case.

The Thing No Product Can Fix

Here’s the real story. There is no software product that protects against a well-executed vishing call aimed at someone with access to your data.

Aura monitors credit bureaus, flags phishing in your inbox, alerts you to suspicious activity. All useful. But all of that operates downstream of the humans who work there. Those humans are as susceptible to a convincing phone scammer as anyone else.

The uncomfortable truth every security vendor quietly lives with: your product is only as secure as your least-trained employee on their worst day. That’s not a knock specifically on Aura. It’s true for everyone in the business.

What Aura Customers Should Do

Watch for the breach notification letter – read it carefully to understand exactly what data of yours was in scope. Your monitoring subscription itself is probably still functioning normally. But do a basic hygiene check: change passwords if your email was exposed, and expect an uptick in phishing attempts.

And if anyone calls you claiming to be from Aura in the next few months, be very skeptical. The irony of that scenario would be almost too much to bear.

Full breakdown of what identity protection actually covers – and doesn’t.