In March 2026, Aura got breached.
If you are not familiar with Aura, they sell identity theft protection. Credit monitoring. Online security services. Their entire value proposition is keeping your identity safe. That is what people pay them for.
ShinyHunters walked out with 900,000 customer records. Names, home addresses, phone numbers, email addresses. Nearly a million people who paid a company to protect their identity had their identity information stolen from that company.
The entry point was not a zero-day. It was not a sophisticated nation-state attack. It was a voice phishing call. Someone called an Aura employee, said the right things, and that employee handed over access to an account. One person. One phone call. 900,000 records.
I am not writing this to pile on Aura. Social engineering works. It has always worked. It will keep working because the human element is the hardest part of any security program to harden. The people answering phones and responding to urgent requests are doing their jobs. Attackers know that and they exploit it deliberately.
What I keep coming back to is what happens after that phone call.
One employee account gets compromised. That account has access to a marketing database containing records for 900,000 customers. There is no friction between the compromised account and the data. There is apparently no alert that fires when a single session starts accessing records at the scale required to exfiltrate nearly a million entries. There is no anomaly detection that asks why this account is suddenly doing something it has never done before.
This is the PAM conversation hiding inside a story that most people are reading as a phishing story.
The phishing call is the entry point. What happens after the entry point is a privileged access problem.
If that employee account had access only to what it needed for its specific role — and nothing more — the blast radius of that phone call shrinks dramatically. If that account's activity was baselined and monitored, a bulk export of 900,000 records generates an alert before the exfiltration is complete. If access to sensitive customer data required additional authentication or approval beyond the standard session, a compromised credential is not automatically a data breach.
None of those controls stop the phishing call. They stop the phishing call from becoming a 900,000-record breach.
The principle of least privilege is not just about administrators. It is about every account that touches data someone would pay to steal. The analytics layer is not just for PAM vaults and domain admin sessions. It is for any account with access worth monitoring.
Aura's breach is being covered as an irony story — the identity protection company that lost identity data. The real story is more useful than the irony. It is a reminder that the credential is just the door. What you do on the other side of the door is where privileged access management lives.
One employee account. One phone call. 900,000 records.
The question worth asking about your own environment is not whether your employees would fall for a voice phishing call. Some of them would. Some of mine would. That is not a failure of character — it is a feature of how humans work under social pressure.
The question is what an attacker gets after that call. If the answer is everything that employee could ever touch, with no monitoring and no friction, the phone call is the whole breach. If the answer is a limited scope account with behavioral monitoring and least-privilege access, the phone call is an incident you investigate on a Tuesday morning.
That is the difference a PAM program makes. Not whether the call happens. What it costs when it does.
Thoughts or war stories from your own environment — thepaminsider@gmail.com.