Affiliate Account Specialist

Aura breach and AI companion app flaws sharpen privacy fears. A new security report on AI girlfriend and companion apps is drawing added attention because it arrives just as identity protection company Aura is dealing with its own data exposure incident, underscoring the broader risk of companies collecting intimate user information and failing to fully protect it. Aura said an unauthorized party accessed about 900,000 records after a targeted phone phishing attack on an employee, while the companion app report says 17 popular Android apps with a combined 150 million plus installs contain 14 critical flaws and 311 high severity issues, including vulnerabilities that could expose users' erotic chat histories. According to the report, published by mobile application security company Oversecured, the problem is not simply that these apps are popular, but that they are built around some of the most sensitive disclosures users make anywhere online. Oversecured says the apps it examined include products explicitly marketed as AI girlfriends, AI boyfriends, dating simulators, and roleplay platforms, while several others present themselves more broadly as character or chat apps but still host large volumes of romantic and sexual roleplay. The report says users disclose explicit sexual content, relationship problems, sexual orientation, suicidal thoughts, and domestic conflicts, and that these conversations are often stored server-side and in some cases cached locally on users' devices. Oversecured says ten of the 17 apps it reviewed contained flaws that create a path to users' conversation histories, and six of those apps had critical vulnerabilities specifically capable of exposing chat data. Three of those six apps had more than 10 million downloads each, and one had more than 50 million downloads, according to the report. The company says the most severe findings included hardcoded cloud credentials embedded in app code, a cross-site scripting flaw that would allow code injection directly into a chat interface, and a file theft vulnerability in an app known for not safe for work content. The report lays out how those flaws could work in practice. In one 10 million download app, Oversecured says it found both an OpenAI API token and a Google Cloud service account private key hardcoded in the APK, potentially allowing access not only to the app's AI backend but also to billing infrastructure and, if stored in the same cloud project, the full chat database. In another 10 million download app, a cross-site scripting flaw in an exported WebView could allegedly let an attacker inject JavaScript into the chat interface, read conversations on screen in real time, steal session tokens tied to full server-side histories, and inject fake messages into what users believe is a private exchange. In a separate 1 million download app, Oversecured says an arbitrary file theft flaw could expose local chat databases, cached photos, voice messages, and authentication tokens. The report also points to a supply chain style risk in one app with more than 50 million installs. Oversecured says an ad software development kit allowed arbitrary component launch and content provider access, which in turn could permit direct queries to internal conversation tables through a malicious ad creative. In another app with more than ten million installs, Oversecured says arbitrary component launch combined with a hardcoded token could expose authentication and session data or redirect users to an attacker-controlled phishing page made to resemble a legitimate app screen. Oversecured argues that the findings fit a pattern rather than an isolated problem. The report cites two previous AI companion-related exposures. One in October 2025 involved Chattee Chat and GiMe Chat which exposed 43 million messages and 600,000 photos from more than 400,000 users through an unprotected server. In February of this year, another AI chat app exposed 300 million messages from 25 million users through a Firebase misconfiguration. Oversecured says the vulnerabilities it found, including hardcoded credentials, injectable WebViews, and file access flaws, can lead to the same kind of large-scale exposure. A central point of the report is that these apps sit in what it called a regulatory blind spot. Oversecured says no regulator in any jurisdiction has yet taken enforcement action against an AI companion app for application layer security flaws, even though regulators have investigated or sanctioned some of the same companies over privacy disclosures, age verification, and child safety. The report notes that the Federal Trade Commission (FTC) sent compulsory information orders to Alphabet, Character Technologies, Instagram, Meta Platforms, OpenAI OpCo, Snap, and X.AI Corp. in September 2025, but that the inquiry focused on harms to children rather than how companion apps store and secure conversation data. The FTC said it wanted to know what steps companies had taken to evaluate chatbot safety, limit harmful effects on minors, restrict children's or teens' use where appropriate, and comply with the Children's Online Privacy Protection Act Rule. Oversecured also pointed to new California and New York laws requiring disclosures and suicide prevention measures, and to Italy's €5 million fine against Replika's developer over GDPR-related violations as examples of governments acting on privacy and youth protection issues without squarely addressing app layer security. The Aura incident gives that argument more immediate resonance. Aura said the unauthorized access affected data in a marketing tool associated with a company it acquired in 2021 and that fewer than 20,000 active Aura customers and fewer than 15,000 former customers were affected. The company said no database supporting its identity theft protection application was accessed and that no Social Security numbers, financial information, credit records, or passwords were compromised. Have I Been Pwned, a public breach notification service that lets you check whether your email address has appeared in known data breaches, added the breach to its database, saying the exposed data included 900,000 unique email addresses and could also include names, phone numbers, physical and IP addresses, and customer service comments. The Aura breach did not involve AI companions or erotic chat histories, but together the two incidents sharpen the concern about what happens when companies persuade users to hand over highly personal information and then fail to secure every layer of the systems that store it. In the case of AI companion apps, Oversecured's answer is that the consequences could be especially severe because the compromised material may include sexual conversations, confessions, emotional dependency, and records tied to real user identities. The report says that while regulators have focused on who should use these apps and what harms they may cause, they have not yet dealt with the simpler and more basic issue of whether the apps can keep those conversations private. Article topics. Latest biometrics news. Mar 19, 2026, 6:38 pm EDT The Dominican Republic is testing a verifiable credentials system for micro, small and medium-sized enterprises (MSMEs). The pilot is part... Mar 19, 2026, 5:39 pm EDT Identy.io, Incode and Microblink are claiming success in DHS Science and Technology Directorate's (S&T's) Remote Identity Verification Rally (RIVR), carried... Mar 19, 2026, 5:36 pm EDT Reality Defender has formed a strategic partnership with Charm Security, a New York-based company that "builds the Agentic AI Workforce... Mar 19, 2026, 5:18 pm EDT Intellicheck reports it reached operational profitability for the first time in the company's history in fiscal and calendar 2025, netting... Mar 19, 2026, 4:47 pm EDT The OpenID Foundation has announced the signing of a Memorandum of Understanding (MoU) with FIDO Alliance, Fime, Raidiam, and TrustID... Mar 19, 2026, 4:12 pm EDT Certified drivers in Australia's Queensland State can now store, share and manage digital professional credentials on the Digital License app,...

Identity protection firm Aura suffers data breach exposing 900,000 records. Aura says a targeted voice phishing attack against one of its employees led to unauthorized access to about 900,000 records, prompting customer notifications and an incident response effort. The disclosure came after the ShinyHunters threat group advertised what it claimed was a trove of data stolen from Aura, while Have I Been Pwned (HIBP) has now added the incident to its database. According to Aura, the incident began when an employee was tricked in a targeted phone phishing attack, allowing an unauthorized third party to access the worker's account for roughly an hour. The company said it revoked access as soon as it discovered the intrusion, activated its incident response plan, brought in outside cybersecurity and legal specialists, and notified law enforcement. Aura described the exposure as limited but acknowledged that the attacker accessed approximately 900,000 records. Aura said the overwhelming majority of the exposed records were names and email addresses stored in a marketing tool tied to a company it acquired in 2021. The company added that the contact information of fewer than 20,000 active customers and fewer than 15,000 former customers was also accessed. In those cases, the exposed details may have included names, email addresses, home addresses, and phone numbers. Aura said Social Security numbers, passwords, and financial information were not compromised. Aura is an online safety and identity protection provider that offers services to help consumers monitor fraud risks, protect accounts, and respond to identity-related threats. That makes any security incident particularly sensitive, even when the company says its core sensitive data stores remained protected. The timing of Aura's statement closely follows a breach listing by ShinyHunters, which claims to be offering 900,000-plus Aura records containing personally identifiable information and internal corporate material. ShinyHunters told CyberInsider that the breach occurred through an Okta single sign-on (SSO) attack. HIBP reports that the leaked data affects 903,100 accounts, exposing names, email addresses, phone numbers, physical addresses, IP addresses, and customer service comments. It also noted that about 90% of the leaked records were already present in its system from previous breaches. Aura said it is notifying impacted individuals where appropriate and will provide support to affected customers. Even without passwords or financial data in the exposed set, people affected by the breach should be on the lookout for follow-up scams, especially calls, emails, or texts that reference Aura, identity protection, billing, or account security.

Aura - 903,080 breached accounts. 2026-03-18 09:03 In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised. Read the original article: Information security training In September 2024, data from the ticketing service Central Tickets was publicly posted to a hacking forum. The data suggests the breach occurred several months earlier and exposed 723k unique email addresses alongside names, phone numbers, IP addresses, purchases and passwords stored as unsalted SHA-1 hashes. This article has been... September 30, 2024 In November 2024, the online betting platform 1win suffered a data breach that exposed 96M users. The exposed data included email and IP addresses, phone numbers, dates of birth, country and SHA-256 password hashes. This article has been indexed from Have I Been Pwned latest breaches Read the original article:... February 3, 2025 In September 2024, French electronics retailer Boulanger suffered a data breach that exposed over 27M rows of data. The data included 967k unique email addresses along with names, physical addresses, phone numbers and latitude and longitude. The data was later publicly published to a popular hacking forum. This article has... April 8, 2025