Ransomware victim disclosure

Bayou Title, Inc.

Claimed by AUR0RA · listed 18 hours ago

33 GB

Data size

70000-100000+ SSNs records

$140

Ransom

demanded

Today

Age

since listed · data leaked

Status timeline

Listed
Jun 6, 2026
Data leaked

At a glance

Group: AUR0RA
Status: Data leaked
Country: US
Sector: Real Estate / Title Insurance
Listed on leak site: Jun 6, 2026
Data size: 33 GB
Records: 70000-100000+ SSNs
Ransom demanded: $140

About the victim

AI dossier — public-source company profile

Bayou Title, Inc. is a title insurance company operating in the real estate sector in the United States. Limited public information is available about the company's specific operations or scale.

Industry: Real Estate / Title Insurance

Attack summary

Severity: medium — Data exfiltration confirmed (33 GB) and published, but the leak post provides no specifics about the actual contents, sensitivity level, or type of data taken from Bayou Title. The generic title-insurance sector involves handling of real estate documents and PII, which would typically be sensitive, but without documented proof of specific data types, severity cannot be elevated to 'high' or 'critical'.

The AUR0RA group claims to have exfiltrated 33 GB of data from Bayou Title, Inc. The leak post does not provide specific details about what data was targeted or compromised from this particular victim.

medium

What the group claims

The largest title insurance agent and closing/settlement services provider in Louisiana, with 19 full-service locations statewide. Exfiltrated data spans 20+ years of operations (2004–2026).

The leak post

captured from the group's site

[ NorthWest Handling Systems — a 55-year-old forklift and warehouse equipment company headquartered in Renton, Washington, with branches across WA, OR, and AK. The dump is the entire corporate file share going back to 1988. 337,000+ files spanning every branch, every department, every era of the company. It includes: Plaintext credit card numbers in an Excel spreadsheet literally titled “C.O.D. info (CREDIT CARD INFO).xlsx” — stored at the root of the file server, unencrypted, for years. Social Security numbers and Taxpayer IDs on W-9 forms and certified payroll documents for government-contract work (USPS, Oregon DHS, public schools). 3+ years of plaintext passwords for Target Corporation’s vendor portal (TARS), stored in Word documents titled “TARGET PASSWORD & SECURITY QUESTIONS.” Each password rotation was saved as a new file. Home Depot Maximo DC billing credentials — plaintext, in a Word document, enabling fraudulent invoicing against a Fortune 50 company. Albertsons/Safeway Corrigo facility-management portal credentials — again, plaintext in a .docx file. 33 GB of customer warehouse CAD files — facility layouts, equipment placement, security-zone dimensions, and fire-protect…

Data the group says was taken

Social Security numbers
names
addresses
sale proceeds
1099-S real-estate closing worksheets
W-2 filings
1099-MISC filings
employee payroll databases
Sage 50 EMPLOYEE.DAT files
bank account data

Screenshot of the leak post

Sources

Leak posthttp://u6lieui2dakbctcjea2bz4r4q32r7t36nwljovqbv7mxs6o2smgxixid.onion

Source

Indexed 18 hours ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About AUR0RA

AUR0RA is a ransomware group first observed in June 2026 with an apparent financial motivation, having claimed responsibility for attacks against at least five known victims across the United States, Canada, and Australia. Given the recency of the group's emergence and the limited number of confirmed victims, detailed public attribution from major threat intelligence organizations such as CISA, the FBI, or Mandiant has not yet been established, and as such claims regarding origin, affiliation, or operational infrastructure cannot be responsibly made at this time. The group's targeting pattern suggests a deliberate focus on mid-market industries including commercial interiors, real estate and title insurance, warehousing and material handling, manufacturing, and oil and gas and industrial manufacturing sectors, which may indicate an opportunistic selection strategy or a preference for organizations with potentially sensitive operational or financial data and limited cybersecurity maturity. No specific attack methodology, tooling, or extortion tactics have been publicly documented by reputable sources for this group as of the time of this writing, though the sector targeting profile is consistent with groups known to conduct double extortion operations. AUR0RA should be considered an emerging threat actor under active monitoring, with its current operational status assessed as active based on the recency of first observed activity and the absence of any publicly reported law enforcement disruption or disbandment. The group has been linked to 5 public disclosures across our corpus. First observed on a leak site on June 6, 2026. The operation is currently active.

Timeline of this disclosure

June 6, 2026Bayou Title, Inc. listed by AUR0RAon the group's public leak site

Data size: 33 GB
Records: 70000-100000+ SSNs
Ransom demanded: $140