Facepalm: Even the most vigilant can fall victim to scams. Take Troy Hunt, a renowned security expert and the creator of HaveIBeenPwned.com, who was duped by a phishing email. The attackers succeeded in stealing his mailing list for his personal blog, compromising around 16,000 emails, with nearly half belonging to individuals who had unsubscribed.
Hunt recounted that he was jet lagged and fatigued when he opened an email that appeared to be from Mailchimp, the platform he utilizes for his mailing list. The email claimed that a spam complaint had been lodged against his personal blog letters, resulting in restricted sending privileges.
He clicked the link in the email, which directed him to a page where he entered his login credentials. Notably, the credentials did not auto-fill from the 1Password password manager extension. After entering the one-time password, the page froze, and in that moment, he realized he had been deceived.
Hunt then logged into the official Mailchimp website to update his password, but it was already too late – he had received an alert indicating that his mailing list had been exported from an IP address in New York. There was also a login alert from the same IP. These types of scams are automated, allowing processes to unfold before victims can reset their login credentials.
Out of the 16,000 email addresses stolen, 7,535 belonged to individuals who had unsubscribed from the mailing list. Hunt expressed confusion as to why Mailchimp retained data from unsubscribed users and mentioned he would investigate any potential configuration issues on his end.
The silver lining for Hunt is that the hack didn’t affect his HaveIBeenPwned site, where users can check if their email has been involved in prior data breaches, including the breach of Hunt’s Mailchimp list.
While most of us are cautious about clicking email links, Hunt noted that he has successfully avoided “gazillion similar phishes” in the past. However, he was fatigued from traveling to London when he encountered this particular email. He added that the message created a sense of urgency, which, while not wholly suspicious, prompted a rapid response.
“Tiredness was a significant factor. I wasn’t alert enough and didn’t fully think through my actions,” he reflected on his blog. “The attacker had no way of knowing that (I have no reason to believe this was aimed specifically at me), but we all have moments of weakness, and if the phishing attempt coincides with that, well, here we are.”
Hunt also pointed out that this attack highlighted how certain two-factor authentication methods are not foolproof against hacks. He explained that they are ineffective against automated phishing attacks that can relay the one-time password immediately after it is entered.
Hunt stated he is currently notifying affected users via email. The domain that hosted the fraudulent website has been taken down by Cloudflare.
