Identity protection company Aura has confirmed that an authorized party gained access to nearly 900,000 customer records containing names and email addresses.

The company states that the incident was caused by a voice phishing attack targeting an employee, which exposed the sensitive data of 20,000 current and 15,000 former customers.

In a communication this week, Aura states that the data originated from a marketing tool used by a company acquired by Aura in 2021, which exposed limited information.

Aura is a consumer digital safety firm that sells identity theft protection, credit and fraud monitoring, and online security tools for phishing protection, positioning itself as an all-in-one service for online protection.

Earlier this week, the threat group ShinyHunters claimed the attack on their data extortion site, stating that they stole 12GB of files containing personally identifiable information (PII) on customers, as well as corporate data.

The threat actor leaked the stolen files, saying that the company “failed to reach an agreement with them despite all the chances and offers” they made.

According to Aura, the compromised customer information includes full names, email addresses, home addresses, and phone numbers. The company emphasizes that Social Security Numbers (SSNs), account passwords, and financial information were not compromised.

The Have I Been Pwned (HIBP) service analyzed the leaked data and added it to its database, noting that customer service comments and IP addresses were also exposed. HIBP also stated that 90% of the email addresses exposed in this incident were already present in its database from past security incidents.

BleepingComputer has asked Aura about the discrepancy between HIBP reporting a little over 901,000 affected accounts, and the company said that their figure was accurate.

This is explained by the fact that the data collected through the marketing tool was inherited when acquiring the company in 2021. However, the database contained only 35,000 Aura customers. The company declined to comment further on ShinyHunters’ claims or the alleged Okta SSO compromise.

Currently, Aura is conducting an in-depth internal review in partnership with external cybersecurity experts and has confirmed to BleepingComputer that they have also informed law enforcement authorities.

Aura told us that it will soon send personalized notifications to all affected individuals.