.svg)
On March 17th, Aura announced that a single employee had been the victim of a highly targeted phishing attack. As a result, an unauthorized party was able to gain access to the employee’s account for approximately one hour before being removed by Aura’s security team.
This incident is one that we take very seriously. Unfortunately, not all news publications (or competitors) who have posted about the incident have done so in good faith.
To stop misinformation and provide the most accurate and up-to-date information about the Aura security incident, we’re sharing everything we know right now:
- Aura’s product was not hacked. The unauthorized party had access to an employee’s corporate account for less than an hour. That employee did not have access to any of the systems or databases that support our online safety and identity theft protection product.
- No sensitive customer information was leaked — including Social Security numbers (SSNs), passwords, and financial information. They were able to access marketing contact information, primarily names and email addresses.
- The bulk of the leaked data came from marketing lists of a company that Aura acquired in 2021 (Circle Media Labs, Inc — “Circle”).
- Fewer than 20,000 active Aura customers were impacted by this data incident. These were individuals who became Aura customers after previously providing information to Circle.
- 90% of the leaked emails were already present in previous leaks. While we regret our role in the spread of any contact information, the vast majority of these records had already appeared in previous breaches unrelated to Aura, as Troy Hunt of HaveIBeenPwned has also found.
Note: We are currently working with third-party cybersecurity experts and will update this post as and when we have new information to share.
Did the Aura app get hacked?
No. Aura’s online safety app was not compromised by the unauthorized party and there is no ongoing risk to customer data.
Contrary to how some people have reported on the situation, the Aura app was not accessed in any way and no sensitive personal information was obtained by the unauthorized party.
All data stored in Aura’s secure Vault for identity monitoring purposes is encrypted. Any customer information accessed was included in marketing contact lists unrelated to any customer information shared within the Aura app.
What information was exposed?
The unauthorized party was able to obtain limited information including:
- Names
- Email addresses
In some cases, the leaked records also included:
- Home addresses
- Phone numbers
- IP addresses
We can confirm that no SSNs, passwords, or financial information were compromised.
Where did the leaked data come from?
The accessed information came primarily from a sales and marketing database used by Circle Media Labs, Inc. (“Circle”) — a company that Aura acquired in 2021.
This information was provided to Circle by potential customers. After the acquisition of Circle, Aura maintained some of the sales and marketing tools that Circle used.
How will I know if my data was leaked?
We are currently in the process of notifying Aura customers that were impacted by this incident.
What should I do if my email was accessed?
We understand you may have seen notifications from other companies. Aura is committed to transparency, and will continue to update this announcement throughout our ongoing investigation. We are continuing to review the data and match it against our records, and we will also notify affected customers and partners as appropriate.
The Aura application itself was not accessed, and no sensitive personal information was obtained by the unauthorized party. Data such as SSNs, financial information, credit records, and passwords remains encrypted and secure within Aura’s systems, which were not accessed in this incident.
There is no ongoing risk to customer data.
If you have additional questions or need support, you can contact us at support@aura.com or 1-833-552-2123.
Can I trust Aura to protect my data?
Yes. During this incident, Aura’s systems worked as intended to limit the potential exposure of customer information. All sensitive personal data was kept secure and out of reach of the intruder.
Aura has spent years building secure systems that adhere to the most stringent international information security practices, including ISO27001, AICPA SOC 2 Type II, and PCI-DSS.
How can I delete my information from Aura?
You can request deletion of your personal information at any time through Aura’s Privacy Request Center. To get started, use the “Your Privacy Choices” link at the bottom of our website and submit a Deletion Request. This helps us verify your identity and process your request.
Once submitted, our team will review and begin removing your personal information from our active systems. The full deletion process may take up to 30 days to complete. After that, your personal information will be permanently deleted from our databases.
Does Aura sell my data?
Aura does not sell your personal data and the Aura app is not ad-supported. Like many companies, we use limited website cookies and pixels for advertising. We’re transparent about this and give you control over those settings.
