Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned?, has disclosed that he has become a victim of a phishing attack that exposed the email addresses of 16,000 subscribers to his blog troyhunt.com.
“Every active subscriber on my list will shortly receive an email notification by virtue of this blog post going out,” he said.
The export also included people who have unsubscribed, and Hunt questioned why Mailchimp would keep these in the first place. “I’ll need to work out how to handle those ones separately. I’ve been in touch with Mailchimp but don’t have a reply yet, I’ll update this post with more info when I have it.”
How it Happened
Hunt said he had traveled to London and woke up to find that his sending privileges had been restricted due to a spam complaint received on 24 March. “You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now, and the penny has just dropped that a Mailchimp phish has grabbed my credentials, logged into my account and exported the mailing list for this blog.”
He said he is “enormously frustrated” with himself for having fallen for this and apologises to anyone on that list. “Obviously, watch out for spam or further phishes and check back here or via the social channels in the nav bar above for more.
“Ironically, I’m in London visiting government partners, and I spent a couple of hours with the National Cyber Security Centre yesterday talking about how we can better promote passkeys, in part due to their phishing-resistant nature,” he ended.
We Are All Human
Aditi Gupta, principal security consultant at Black Duck, commented: “This recent phishing attack further highlights that, in the end, we are all humans, and sophisticated phishing attacks could get the best of us. Bad actors feed on fear and weaknesses such as tiredness and a sense of urgency as part of a simple formula to bait unsuspecting users.”
Using passkeys is an immediate preventative measure, said Gupta, but basic hygiene such as evaluating sender identity and double-checking domains on a different browser before clicking and entering credentials is a wise thing to do.
The Right Message at the Right Time
This is an example of how even a seasoned professional can fall victim to a well executed phishing attack, added Erich Kron, Security Advocate at KnowBe4. “Social engineering is largely getting the right message to the right person at the right time, and that combination can lead to unfortunate situations such as this. This is one reason we should avoid shaming users who have made a mistake and potentially clicked on a link or performed some other action.”
Kron says entities should work toward a security culture that celebrates reporting and a way to receive guidance on something that may seem odd or out of place, without worrying about being made to feel bad about an inquiry. “Fortunately, in this case there was not a lot of information available, and Mr Hunt deserves kudos for speaking about it publicly, admitting his error and using this to help educate others.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.