Creator of HaveIBeenPwned Data Breach Site Falls for Phishing Email

A shocking turn of events has left security expert and creator of the popular data breach notification site HaveIBeenPwned.com, Troy Hunt, reeling from a phishing email attack that compromised his personal blog's mailing list. In a stunning admission, Hunt revealed that he fell victim to the phishing scheme while visiting government partners in London, where he was jetlagged and tired.

The breach affects 16,000 email addresses, not just those subscribed to Hunt's personal blog but also other individuals who had unsubscribed from his mailing list. The attack was carried out through a phishing message that impersonated Mailchimp, the email provider used by Hunt for his personal account tied to his blog. The malicious email claimed that Mailchimp had received a spam complaint and was forced to restrict sending privileges on Hunt's account.

Hunt initially fell for the phishing email, clicking on it and entering his credentials and one-time passcode into a hacker-controlled login page. However, he quickly realized something was amiss when the login process "hung." He changed his password to his real Mailchimp account but it was too late – the hacker had already breached his account and exported his mailing list, indicating that the attack was automated.

"I'm enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list," Hunt said in a statement. "Tiredness, was a major factor. I wasn't alert enough, and I didn't properly think through what I was doing." Despite receiving numerous phishing emails before, Hunt acknowledged that his fatigue from traveling made him more vulnerable to the attack.

The phishing email successfully exploited Hunt's fears by creating a sense of urgency and convincing him that Mailchimp was about to suspend his newsletter. The malicious message was also cleverly designed to avoid being too alarmist, making it difficult for Hunt to think critically about the situation.

Furthermore, the hack highlights the limitations of two-factor authentication (2FA) in preventing phishing attacks. Despite having 2FA activated on his Mailchimp account, Hunt's credentials were still compromised when he entered his one-time passcode into the hacker-controlled login page. "Let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered," Hunt emphasized.

In response to the breach, Hunt has reached out to Mailchimp with questions about their plans for offering passkeys, which could potentially prevent such phishing attacks in the future. He has also expressed concern over why Mailchimp did not delete the email addresses of individuals who had unsubscribed from his blog, allowing them to be ensnared in the attack as well.

As Hunt continues to notify affected users through email and assess the damage from this breach, he serves as a cautionary tale about the dangers of phishing attacks and the importance of vigilance even for experienced security professionals. "We all have moments of weakness, and if the phish times just perfectly with that, well, here we are," Hunt noted in his statement.