Troy Hunt, a security consultant who runs the popular data-breach search service Have I Been Pwned, has disclosed that he’s the victim of a phishing attack that exposed the email addresses of 16,000 subscribers. Here’s what we can learn.
Hunt informed his readers that phishers had compromised his Mailchimp account and exfiltrated the mailing list for his blog troyhunt.com.
He explains that cybercriminals caught him off-guard when he was really tired and jet-lagged.
Cybercriminals crafted a very convincing email impersonating the legitimate platform, informing that the account’s “sending privileges have been restricted due to a spam complaint.”
Phishers also used a malicious domain “mailchimp-sso.com” for credential extraction, which could be mistakenly perceived as a legitimate URL for the single sign-on authentication process. Cloudflare blocked the malicious domain less than three hours later after the attack.
Hunt confirms in a blog post that he entered his credentials himself, and they did not autocomplete from the password manager.
“I then entered the OTP and the page hung. Moments later, the penny dropped, and I logged onto the official website,” Troy said in a blog post.
Unfortunately, it was too late – an automated attack immediately exported the mailing list before he could take preventative measures. Mailchimp sent notifications about recent activity from an IP address in New York.
The cyberattackers exfiltrated approximately 16,000 records, including over 7,500 email addresses of people who unsubscribed.
“The export also includes people who’ve unsubscribed (why does Mailchimp keep these?!), so I'll need to work out how to handle those ones separately,” Hunt informs.
“I'm enormously frustrated with myself for having fallen for this, and I apologize to anyone on that list.”
It finally happened - I got phished. Impact is limited to the Mailchimp mailing list for my blog, brief blog post with details here and more to come later: https://t.co/AMIfmvAwYJ
undefined Troy Hunt (@troyhunt) March 25, 2025
Anyone, even cybersecurity professionals, can fall victim to phishing attacks. Fatigue, distractions, and similar factors often contribute to mistakes. Phishing tactics often try to exploit that by creating a sense of urgency or fear, which clouds careful decision-making.
This incident highlights the limitations of traditional two-factor authentication (2FA). For a while now, cybersecurity authorities have been recommending using phishing-resistant multi-factor authentication. Unfortunately for Hunt, Mailchimp doesn’t provide this option.
“I've received a gazillion similar phishes before that I've identified early, so what was different about this one? Tiredness was a major factor. I wasn't alert enough, and I didn't properly think through what I was doing,” Hunt explains.
“We all have moments of weakness and if the phish times just perfectly with that, well, here we are.”
Your email address will not be published. Required fields are markedmarked