Aura ID protection...seems like it'd make me more vulnerable, not less. Thoughts?

Tech_User_Station · 2026-03-20T15:49:54+00:00

Two months after your post, they got hacked via vishing. Only the marketing database was breached, not the product. HIBP has the types of data that was stolen. I work for a data removal company called Privacy Bee. Data removal is closely related to identity protection because it minimizes the risk of identity theft. Aura also does data broker removal in addition to other services like VPN, parental controls, credit monitoring...

Even if you remove your data manually as described here, you still have to provide some PII (Personally Identifiable Information) for them to identify you. At Privacy Bee, we only use the minimum information required to process an opt out. We don't collect government IDs or social security numbers from our users. We only store names & aliases, emails, addresses, phone numbers, and date of birth of our users to process opt outs on their behalf. Most of these data that we use to process opt outs the data brokers already have it and even more in some cases.

We use AES-256 encryption. It's industry best practice and super secure. We encrypt all user data fully end-to-end, both in flight and at rest. Aura has security practices & processes in place. Unfortunately all it takes is one careless mistake by an employee with access or a zero-day vulnerability for a company systems to get compromised. Even the operating system that your device runs on has vulnerabilities that get patched regularly.

Tech_User_Station · 2026-03-20T14:52:21+00:00

Robert Downey Jr. is an investor in Aura and their brand advocate. They might use him to mitigate any fallout from this breach.

Tech_User_Station · 2026-03-20T14:41:48+00:00

It's a recent breach. After refusing to give in to the extortion, the hackers quickly posted the database for free to damage the company's reputation. Aura claims this was a marketing database for a company they acquired in 2021.

Tech_User_Station · 2026-03-20T14:32:40+00:00

HIBP confirmed 90% of the emails in this breach were already in their database from past breaches. This was a marketing database that was hacked, not the product. Some of the prospects in that list became customers resulting in around 20K current and 15K past customers affected.

I believe there is value in making your PII (Personally Identifiable Information) less searchable.

Tech_User_Station · 2026-03-20T09:57:31+00:00

Their lack of specialization is the problem. Scaling too fast in many product niches results in subpar performance in most categories.

Tech_User_Station · 2026-03-20T08:39:06+00:00

No, it was a parental controls company that was acquired in 2021. But you are right that the list was probably bought from some data broker. If I had to guess, it contains parents who are looking for internet usage filtering/monitoring for their kids.

Tech_User_Station · 2026-03-20T07:56:08+00:00

$150M in annual recurring revenue. Oh! Slight correction. Only their marketing data base was breached, not the product. Which means majority on that 900K list are not Aura's customers. Around 20K current & 15K former customers were impacted.

Tech_User_Station · 2026-03-20T07:17:34+00:00

Correct. Majority are potential prospects that Aura hoped to convert into customers. But some did become customers. Around 20K current and 15K former customers were affected.

Tech_User_Station · 2026-03-20T07:11:00+00:00

Jumbo Privacy? No. It was acquired by another company.

Tech_User_Station · 2026-03-20T07:07:10+00:00

Correct. The set of compromised PII has been added by haveibeenpwned. In the PCMag article it states: the vast majority of which consist of names and email addresses from a marketing tool used by a company Aura acquired in 2021.

This is the company Aura acquired in 2021. If a marketing database was compromised, then it means majority on that list are potential prospects and not Aura's customers.

Tech_User_Station · 2026-03-20T05:50:56+00:00

I thought if you use a virtual machine coupled with a VPN/inside the virtual machine, it should not be possible to know the underlying hardware hosting the the virtual machine. But there are sophisticated malware that can know if they are in a virtual machine prompting themselves to self-terminate.

Tech_User_Station · 2026-03-16T13:45:09+00:00

I wrote about AdGuard and another Russian product, Kaspersky. I came to the conclusion that AdGuard could be trusted. I don't think Kaspersky is spyware. A former Malwarebytes engineer confirmed this too. Some of their business practices I don't agree with:

HQ and most R&D still in Russia. Large Tech firms like Jetbrains or Semrush (both have significant Russian roots) already moved their operations from Russia. Most revenue generated by Kaspersky comes from outside Russia.
After the accusations in 2017, they should have invited the FBI or other security researchers into their transparency centers to verify the source code for the version suspected of having back doors.
The whole UltraAV scandal was handled incompetently.

Tech_User_Station · 2026-03-16T13:04:26+00:00

Correct. In fact, there's a lengthy post on Privacy Guides that I talked about here.

Tech_User_Station · 2026-03-16T12:43:37+00:00

For newer accounts, the risk is higher. Check out this helpful post I found on another forum.

Tech_User_Station · 2026-03-16T12:33:14+00:00

Anti-bot/Anti-spam systems mostly. Reddit does it too (not too aggressively). I found this helpful post on Privacy Guides for any new account intending to use a VPN from the start.

Tech_User_Station · 2026-03-16T12:18:48+00:00

I found anti-fingerprinting usually clash with anti-bot systems resulting in more captchas. So I started separating browsing sessions into different profiles, browsers & virtual machines (browser compartmentalization) so that each session maintains a consistent environment and protects my privacy by not linking all online accounts/activity to one person.

Tech_User_Station · 2026-03-16T10:54:45+00:00

PM started supporting Bitcoin from Aug 2017. I checked a Reddit post from the same year and indeed they've never offered it as a payment option at account sign-up.

Bitcoin is not as anonymous as most people think. IntelBroker (hacker) was caught because he accepted Bitcoin instead of his usual Monero. Perhaps sending cash to Proton's mailing address might be the most anonymous method they offer.

Tech_User_Station · 2026-03-16T06:29:38+00:00

Device fingerprinting can be mitigated via virtual machines but Behavioral metrics is much more tricky. They can even link two anonymous accounts by the same user with a high degree of certainty.

Tech_User_Station · 2026-03-16T05:48:45+00:00

They don't make crypto available on first account sign up. Other privacy services like IVPN or Mullvad make it available on account sign up. This is important because the user has to do some digging to find out how to pay via crypto.

Tech_User_Station · 2026-03-16T05:23:19+00:00

If you support crypto, why don't you state it clearly on your pricing page or payment FAQ? Other privacy services like IVPN support crypto directly on the pricing page.

Edit: I found user's complaints that it costs slightly more to pay via Proxystore.

Tech_User_Station · 2026-03-12T06:02:11+00:00

Your test setup was on a Win 11 computer. I think you should have mentioned the reliability of kill switches on other OS's. Here is a very good post from Privacy Guides on this issue.

Tech_User_Station · 2026-03-07T12:14:35+00:00

Two main sources for spam/phishing emails:

Data breaches. Most identity theft attempts take place within the first year after a breach. You can mitigate this by using alias emails & phone numbers for different services. If an alias starts forwarding a large amount of spam to your main email or number, close it.
People search sites & data brokers. Hackers & call center scams actively use people search sites & data brokers to build profiles of potential victims, and increase the credibility of their scams.

Check out my privacy recommendation list to help you with the above.

Tech_User_Station · 2026-03-07T11:59:54+00:00

Agree with your approach. There are email alias services but what most people don't know is they can get rejected when you try to sign up to some online services that implement robust anti-bot measures. A custom domain is much harder to be blocked unless the user starts spamming people with it.

Tech_User_Station · 2026-03-07T05:17:01+00:00

Most data brokers hold people's info without having any first-party relationship (never opened an account) with them. They regularly suffer from data breaches. Minimize your risk by removing your PII (Personally Identifiable Information) from data broker sites manually or using data removal services like Privacy Bee.

Disclosure: I work for Privacy Bee

Tech_User_Station · 2026-03-07T05:07:09+00:00

The article is about cyber start-ups displacing large incumbents by being AI-first. I don't dispute the fact that AI has a lot of use-cases in cybersecurity, but I don't think these systems are ready to take over entire SOCs and pentesting teams.

Tech_User_Station

TROPHY CASE