Mailchimp Mishap: Infosec Expert Troy Hunt Falls for Phish, Exposes 16,000 Subscribers

Infosec veteran Troy Hunt, known for HaveIBeenPwned, is notifying people after phishers snagged his Mailchimp list. Despite being jet-lagged, Hunt admitted falling for an “impressively crafted” phish. The email used classic urgency tactics, leading him to enter credentials that were swiftly used to export 16,000 records.

3P
Published: March 25, 2025 12:34 pmAdded: March 25, 2025 at 5:41 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like even the cybersecurity rockstars are human after all! Troy Hunt, the legend behind HaveIBeenPwned, just learned the hard way that jet lag and phishing emails are a match made in cyber hell. Note to self: Don’t try to save the world from cyber threats while sleep-deprived, or you might end up needing to save yourself!

Key Points:

– Troy Hunt’s Mailchimp mailing list, containing 16,000 records, was phished.
– Half of the affected records belonged to unsubscribed users, raising questions about data retention.
– The phish was well-crafted, playing on urgency and exploiting Hunt’s jet-lagged state.
– Hunt’s credentials were used to export the mailing list in under two minutes.
– The incident highlights the limitations of OTP-based 2FA against automated phishing attacks.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?