HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list

• Troy Hunt, creator of popular website HaveIBeenPwned, has himself fallen victim to a phishing incident
• Attackers exfiltrated 16,000 credentials
• Hunt calls the email 'very well-crafted'

Tory Hunt, the owner of credential leak website HaveIBeenPwned, is notifying thousands of subscribers after falling for a MailChimp phishing scam - in which approximately 16,000 credentials were compromised.

In a blog post, Hunt described the attack which led to the export of the credentials, in which he was emailed a fake ‘Sending Privileged Restricted’ notification, which encouraged him to review his account through an email link.

When Hunt followed the link, he was taken to a page and asked to enter his credentials, which, he notes, did not auto-complete from 1Password (a tell-tale sign). Moments later, ‘the penny dropped’, Hunt says, as he realized his mistake.

Moments of weakness

Once Hunt realized he had been targeted, he immediately changed his password and checked his account activity, but the credentials had already been exfiltrated in the “highly-automated” attack.

Why was this specific attack so successful against such a seasoned InfoSec expert? Well, Hunt says the email came after a long flight, at a time when he was tired and not thinking properly. On top of that, Hunt describes this as a “very well-crafted phish”,

“It socially engineered me into believing I wouldn't be able to send out my newsletter so it triggered "fear", but it wasn't all bells and whistles about something terrible happening if I didn't take immediate action. It created just the right amount of urgency without being over the top,” he explained.

As a website that allows people to check if their credentials have been compromised in any data breaches, HaveIBeenPwned will be updated with the exposed details, and customers will be notified directly if their details have been impacted, including those who have unsubscribed but were still compromised.

This incident outlines just how convincing phishing attacks can be, and shows that even the most prepared amongst us can be vulnerable.

Considering that most workers are overconfident at spotting phishing attacks, this serves as a great reminder that vigilance is always needed.

You might also like

• Take a look at our picks for the best malware removal software around
• Check out our choice for best antivirus software
• Oracle denies data breach after hacker claims to hold six million records