Troy Hunt, the cybersecurity expert behind HaveIBeenPwned, is used to reporting on breaches—not experiencing them firsthand. But in an unexpected turn, he recently fell victim to a phishing attack that led to his entire mailing list being stolen. The attack was cleverly designed, highlighting the increasing sophistication of online threats—even for seasoned professionals.
A Well-Crafted Phishing Scam
Hunt received an email appearing to be from Mailchimp, the service he uses to manage his email lists. The email claimed that his account’s sending privileges had been temporarily restricted due to a spam complaint. To resolve the issue, he was prompted to log in and review recent campaigns and audience lists. The email appeared legitimate, striking just the right balance of urgency without triggering suspicion.
He clicked the link, entered his credentials, and completed the one-time password (OTP) authentication. But something was off—his password manager, 1Password, did not autofill his credentials. That was the first red flag. By the time he realized what had happened and logged into the real Mailchimp website, the damage had been done. His entire mailing list—around 16,000 email addresses—had already been exported by attackers from an IP address in New York.
Why Even Experts Get Caught
Hunt was quick to dissect what went wrong. In his blog post, he pointed out several factors that made him more susceptible to the attack:
- Jetlagged and Distracted: He was traveling at the time, making him less alert than usual.
- Psychological Manipulation: The email was designed to trigger concern over his ability to send newsletters, creating just enough urgency to prompt action.
- Subtle Execution: Unlike obvious phishing attempts with broken English or exaggerated threats, this one was polished and convincing.
- 1Password Red Flag: The lack of autofill was a major clue, but one he overlooked in the moment.
“It socially engineered me into believing I wouldn’t be able to send out my newsletter,” Hunt wrote. “It triggered ‘fear,’ but it wasn’t all bells and whistles about something terrible happening if I didn’t take immediate action.”
Mailchimp’s Role and Unanswered Questions
The breach also raised concerns about Mailchimp’s handling of subscriber data. When Hunt’s mailing list was exported, it didn’t just include active subscribers but also those who had previously unsubscribed. Mailchimp retains these addresses indefinitely, a practice that remains largely unexplained.
This means people who opted out of Hunt’s emails—perhaps believing their data was erased—were still affected. It’s a reminder that even if you unsubscribe from a mailing list, your email might still be stored and, in some cases, vulnerable.
What Happens Now?
Hunt quickly changed his password and secured his account, but the stolen emails are already out in the wild. What can be done? For subscribers, the risk mainly involves targeted phishing attempts using the leaked emails. For Hunt, it’s a harsh lesson that even cybersecurity pros aren’t immune to well-crafted social engineering attacks.
As for the phishing site—mailchimp-sso.com—Cloudflare shut it down within two hours of Hunt’s credentials being stolen. While that’s a quick response, it wasn’t fast enough to stop the attack from succeeding.
The Growing Threat of Phishing
Phishing scams have evolved. Gone are the days of obviously fake emails riddled with typos. Attackers are now crafting highly convincing messages that can fool even security experts.
Key takeaways from this incident:
- Multifactor authentication (MFA) isn’t foolproof: If you enter your credentials on a phishing site, attackers can use the stolen data in real time.
- Password managers help, but only if you listen to them: If a site doesn’t trigger autofill, that’s a major red flag.
- Cybercriminals are getting better at psychological tricks: Scams today are designed to feel real, often playing on fear, urgency, or authority.
Hunt’s experience serves as a warning: No one is invincible when it comes to phishing. Awareness, skepticism, and attention to detail are the best defenses in an era where online deception is more convincing than ever.
