Aura, an identity protection platform, confirmed a breach of approximately 900,000 records from a legacy marketing database inherited through a 2021 acquisition, initiated via a vishing attack against an employee that yielded valid database credentials. ShinyHunters claims attribution and alleges failed extortion preceded public disclosure; approximately 35,000 current and former customers are directly impacted. Organizations should treat this as a prompt to audit post-acquisition data governance, enforce MFA and least-privilege on inherited systems, and implement vishing-specific awareness training targeting IT, HR, and help desk staff who control credential provisioning.