{"id":2500,"date":"2025-03-26T14:59:47","date_gmt":"2025-03-26T14:59:47","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2500"},"modified":"2025-03-26T14:59:47","modified_gmt":"2025-03-26T14:59:47","slug":"even-anti-scammers-get-scammed-security-expert-troy-hunt-pwned-by-phishing-email","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2500","title":{"rendered":"Even anti-scammers get scammed: security expert Troy Hunt pwned by phishing email"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Troy Hunt, the security researcher behind the popular \u201c<a href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned<\/a>?\u201d data breach notification site has fallen victim to a <a href=\"https:\/\/www.csoonline.com\/article\/514515\/what-is-phishing-examples-types-and-techniques.html\">phishing<\/a> attack that exposed the email addresses of subscribers to updates of his <a href=\"https:\/\/www.troyhunt.com\/\">personal blog<\/a>.<\/p>\n<p>Hunt received an email purportedly from email marketing platform Mailchimp falsely claiming that his account had been restricted due to a spam complaint. In response, Hunt entered his login details and submitted a one-time passcode to a fake site posing as Mailchimp.<\/p>\n<p>The security researcher quickly realized his mistake and changed his login details but not before attackers had exported a mailing list with more than 16,000 email addresses, including both current and unsubscribed blog subscribers.<\/p>\n<p>Hunt quickly went public on the attack, which did not impact the Have I Been Pwned? Service, which remains secure.<\/p>\n<h2 class=\"wp-block-heading\">The phish allowed a \u2018highly automated\u2019 attack<\/h2>\n<p>In a <a href=\"https:\/\/www.troyhunt.com\/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list\/\">blog post<\/a>, Hunt explained how the well-crafted email had tricked him into acting on its contents. Hunt was, by his own account, travelling and somewhat jet-lagged, factors that meant he missed warning signs such as his password manager not filling in the login details, the domain or the unrelated source email that posed as \u201cMailchimp Account Services\u201d.<\/p>\n<p>\u201cIt socially engineered me into believing I wouldn\u2019t be able to send out my newsletter so it triggered \u2018fear\u2019, but it wasn\u2019t all bells and whistles about something terrible happening if I didn\u2019t take immediate action,\u201d according to Hunt.<\/p>\n<div class=\"extendedBlock-wrapper block-coreImage left\"> width=&#8221;772&#8243; height=&#8221;772&#8243; sizes=&#8221;(max-width: 772px) 100vw, 772px&#8221;&gt;\n<p>Troy Hunt, creator of the Have I Been Pwned website<\/p>\n<p class=\"imageCredit\">Troy Hunt<\/p>\n<\/div>\n<p>The phishing attack was \u201chighly automated and designed to immediately export the list before the victim could take preventative measures,\u201d Hunt wrote.<\/p>\n<p>The attack highlights the limitations of passwords and two-factor authentication (2FA) in preventing phishing attacks. Hunt said the incident highlights the need for more sites to adopt <a href=\"https:\/\/www.csoonline.com\/article\/1312195\/redefining-multi-factor-authentication-why-we-need-passkeys.html\">passkeys<\/a>, a modern alternative to passwords that relies on cryptographic secrets stored on registered devices.<\/p>\n<p>\u201cBy no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it\u2019s entered,\u201d Hunt concluded.<\/p>\n<p>Hunt told CSO that he had never previously fallen victim to a phishing attack, to the best of his knowledge.<\/p>\n<p>\u201cFallibility it something we all have \u2014 I never thought I was immune,\u201d Hunt said. The security researcher added that the incident illustrated that \u201csecurity is a shared responsibility\u201d so simply blaming security unsavvy users for falling victim to phishing attacks fails to get at the heart of the problem.<\/p>\n<p>More sites and services should introduce passkeys or non-phishable 2FA alternatives which should not involve any major expense or difficulty in applying, Hunt concluded.<\/p>\n<h2 class=\"wp-block-heading\">Even seasoned pros are susceptible to phishing<\/h2>\n<p>Aditi Gupta, principal security consultant at Black Duck, said the attack illustrated how bad actors feed on fear and weaknesses such as tiredness and a sense of urgency in order to bait unsuspecting users.<\/p>\n<p>\u201cUsing passkeys is an immediate preventative measure, but basic hygiene like evaluating sender identity and double-checking domains on a different browser before clicking and entering credentials is a smart thing to do,\u201d according to Gupta.<\/p>\n<p>Erich Kron, security advocate at security awareness vendor KnowBe4, added that the incident illustrates how even a \u201cseasoned professional can fall victim to a well-done phishing attack\u201d.<\/p>\n<p>\u201cThis is one reason we should avoid shaming users who have made a mistake and potentially clicked on a link or performed some other action,\u201d Kron said. \u201cOrganisations should work toward a security culture that celebrates reporting.\u201d<\/p>\n<p>Kron added: \u201cHunt deserves kudos for speaking about it publicly, admitting his error and using this to help educate others.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Troy Hunt, the security researcher behind the popular \u201cHave I Been Pwned?\u201d data breach notification site has fallen victim to a phishing attack that exposed the email addresses of subscribers to updates of his personal blog. Hunt received an email purportedly from email marketing platform Mailchimp falsely claiming that his account had been restricted due [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2501,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2500","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2500"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2500"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2500\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2501"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}