On March 17, 2026, identity protection firm Aura disclosed a data breach after ShinyHunters used targeted vishing to compromise a single employee’s account. The attacker had access for approximately one hour before Aura’s security team detected and removed the unauthorized session. The breach primarily exposed data from a marketing tool Aura acquired in 2021: approximately 900,000 records consisting mostly of names and email addresses. More detailed contact information (names, emails, phone numbers, and physical addresses) was exposed for up to 35,000 current and former customers. No Social Security numbers, passwords, or financial information were compromised. ShinyHunters claimed to have exfiltrated approximately 12 GB of data including PII and corporate data. The irony of an identity protection company being breached via the same social engineering techniques it warns customers about was widely noted in security reporting.