Facepalm: Even the best of us can fall for scams. Just look at Troy Hunt, the security expert and creator of the HaveIBeenPwned.com website, who was tricked by a phishing email. The attackers managed to steal his mailing list for his personal blog, compromising roughly 16,000 emails, around half of which belong to people who had unsubscribed from the list.
Hunt says he was jet lagged and tired when he read an email that appeared to come from Mailchimp, the service he uses for his mailing list. It claimed that the company had received a spam complaint made against Hunt’s personal blog letters, leading to restricted sending privileges.
Hunt clicked on the link in the email. It led him to a page where he entered his login credentials, which he notes did not auto-fill from the 1Password password manager extension. He then entered the one-time password and the page hung, at which point he realized he’d been tricked.
Hunt then logged onto the official Mailchimp website to change his password, but it was too late – he had already received an alert about his mailing list being exported from an IP address in New York. There was also a login alert from the same IP. These scams are automated so the processes take place before the victims can change their login credentials.
Of the 16,000 email addresses stolen by the hacker, 7,535 belonged to people who had unsubscribed to the mailing list. Hunt said he wasn’t sure why Mailchimp held on to data from unsubscribed users and he would investigate whether it was a configuration issue on his part.
The one consolation for Hunt is that the hack didn’t impact his HaveIBeenPwned site, where you can type in your email to see if it was part of previous data breaches, including Hunt’s Mailchimp list breach.
Most of us would never click on an email link, and Hunt emphasized that he’s avoided “gazillion similar phishes before,” but the Australian says he was exhausted from traveling to London when he read this message. He added that the mail created a sense of urgency that wasn’t too much to be suspicious, but enough to warrant a quick response.
“Tiredness, was a major factor. I wasn’t alert enough, and I didn’t properly think through what I was doing,” he wrote on his own blog. “The attacker had no way of knowing that (I don’t have any reason to suspect this was targeted specifically at me), but we all have moments of weakness and if the phish times just perfectly with that, well, here we are.”
Hunt also noted that the attack illustrated how some two-factor authentication methods aren’t a guarantee that you won’t be hacked. He says it’s completely useless against an automated phishing attack that can relay the OTP as soon as it’s entered.
Hunt said he is now alerting affected users via email. The domain used to host the fake website has been taken down by Cloudflare.
