HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list

URL phishing
(Image credit: Pixabay)

  • Troy Hunt, creator of popular website HaveIBeenPwned, has himself fallen victim to a phishing incident
  • Attackers exfiltrated 16,000 credentials
  • Hunt calls the email 'very well-crafted'

Tory Hunt, the owner of credential leak website HaveIBeenPwned, is notifying thousands of subscribers after falling for a MailChimp phishing scam - in which approximately 16,000 credentials were compromised.

In a blog post, Hunt described the attack which led to the export of the credentials, in which he was emailed a fake ‘Sending Privileged Restricted’ notification, which encouraged him to review his account through an email link.

When Hunt followed the link, he was taken to a page and asked to enter his credentials, which, he notes, did not auto-complete from 1Password (a tell-tale sign). Moments later, ‘the penny dropped’, Hunt says, as he realized his mistake.

Moments of weakness

Once Hunt realized he had been targeted, he immediately changed his password and checked his account activity, but the credentials had already been exfiltrated in the “highly-automated” attack.

Why was this specific attack so successful against such a seasoned InfoSec expert? Well, Hunt says the email came after a long flight, at a time when he was tired and not thinking properly. On top of that, Hunt describes this as a “very well-crafted phish”,

“It socially engineered me into believing I wouldn't be able to send out my newsletter so it triggered "fear", but it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top,” he explained.

As a website that allows people to check if their credentials have been compromised in any data breaches, HaveIBeenPwned will be updated with the exposed details, and customers will be notified directly if their details have been impacted, including those who have unsubscribed but were still compromised.

This incident outlines just how convincing phishing attacks can be, and shows that even the most prepared amongst us can be vulnerable.

Considering that most workers are overconfident at spotting phishing attacks, this serves as a great reminder that vigilance is always needed.

You might also like

Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.