(Sarayut Thaneerat via Getty)
A hacker has managed to phish Troy Hunt, the creator of HaveIBeenPwned.com, tricking the security expert into clicking a malicious email while he was jetlagged.
The breach affects people who subscribed to Hunt’s personal blog, rather than HaveIBeenPwned, a data breach notification site that’s attracted millions of users. “I'm enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list,” he said.
On Tuesday, Hunt disclosed the breach, which affects 16,000 email addresses. The attack occurred through a phishing message that pretended to come from his email provider Mailchimp. The phishing email claimed that Mailchimp had received a spam complaint and was forced to restrict “sending privileges” to Hunt’s account tied to his personal blog.
Hunt clicked on the phishing email, which led him to enter his credentials and one-time passcode into a hacker-controlled login page. But he quickly realized something was off when the login process “hung.” Hunt changed his password to his real Mailchimp account, but it was too late: The hacker had breached his account, and exported his mailing list — suggesting the entire attack was automated.
Hunt adds that 7,535 users that had unsubscribed to his blog were also ensnared in the hack due to Mailchimp failing to delete their emails.
Hunt, who’s Australian, says he fell for the phishing scheme while visiting government partners in London. Although he’s received and fended off a “gazillion similar phishes before,” Hunt said this particular phishing email caught him off guard because he was exhausted from traveling.
“Tiredness, was a major factor. I wasn't alert enough, and I didn't properly think through what I was doing,” he wrote on his own blog. "The attacker had no way of knowing that (I don't have any reason to suspect this was targeted specifically at me), but we all have moments of weakness and if the phish times just perfectly with that, well, here we are.”
Like other phishing scams, the malicious email successfully created a sense of urgency and exploited Hunt’s fears by fooling him into thinking Mailchimp was about to suspend his newsletter. “It wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top,” he said.
The hack also underscores how two-factor authentication isn’t bulletproof. Hunt’s Mailchimp account had 2FA activated, but the phishing attack was still able to trick him into giving up a one-time passcode, which it quickly used to break into his account. “Let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it's entered,” he said.
In response, he’s asked Mailchimp about whether the company plans on offering passkeys, which can stop such phishing attacks. He’s also wondering why Mailchimp didn’t delete the email addresses of people who unsubscribed to his blog.
In the meantime, Hunt is notifying affected users through email. Mailchimp didn’t immediately respond to a request for comment