Illustrating that there is no such thing as immunity from phishing, the founder of the Have I Been Pwned? website admits to being taken in by an email that exposed his Mailchimp access.
Troy Hunt, the security researcher behind the popular “Have I Been Pwned?” data breach notification site has fallen victim to a phishing attack that exposed the email addresses of subscribers to updates of his personal blog.
Hunt received an email purportedly from email marketing platform Mailchimp falsely claiming that his account had been restricted due to a spam complaint. In response, Hunt entered his login details and submitted a one-time passcode to a fake site posing as Mailchimp.
The security researcher quickly realized his mistake and changed his login details but not before attackers had exported a mailing list with more than 16,000 email addresses, including both current and unsubscribed blog subscribers.
Hunt quickly went public on the attack, which did not impact the Have I Been Pwned? Service, which remains secure.
The phish allowed a ‘highly automated’ attack
In a blog post, Hunt explained how the well-crafted email had tricked him into acting on its contents. Hunt was, by his own account, travelling and somewhat jet-lagged, factors that meant he missed warning signs such as his password manager not filling in the login details, the domain or the unrelated source email that posed as “Mailchimp Account Services”.
“It socially engineered me into believing I wouldn’t be able to send out my newsletter so it triggered ‘fear’, but it wasn’t all bells and whistles about something terrible happening if I didn’t take immediate action,” according to Hunt.
Troy Hunt, creator of the Have I Been Pwned website
Troy Hunt
The phishing attack was “highly automated and designed to immediately export the list before the victim could take preventative measures,” Hunt wrote.
The attack highlights the limitations of passwords and two-factor authentication (2FA) in preventing phishing attacks. Hunt said the incident highlights the need for more sites to adopt passkeys, a modern alternative to passwords that relies on cryptographic secrets stored on registered devices.
“By no means would I encourage people not to enable 2FA via OTP, but let this be a lesson as to how completely useless it is against an automated phishing attack that can simply relay the OTP as soon as it’s entered,” Hunt concluded.
Hunt told CSO that he had never previously fallen victim to a phishing attack, to the best of his knowledge.
“Fallibility it something we all have — I never thought I was immune,” Hunt said. The security researcher added that the incident illustrated that “security is a shared responsibility” so simply blaming security unsavvy users for falling victim to phishing attacks fails to get at the heart of the problem.
More sites and services should introduce passkeys or non-phishable 2FA alternatives which should not involve any major expense or difficulty in applying, Hunt concluded.
Even seasoned pros are susceptible to phishing
Aditi Gupta, principal security consultant at Black Duck, said the attack illustrated how bad actors feed on fear and weaknesses such as tiredness and a sense of urgency in order to bait unsuspecting users.
“Using passkeys is an immediate preventative measure, but basic hygiene like evaluating sender identity and double-checking domains on a different browser before clicking and entering credentials is a smart thing to do,” according to Gupta.
Erich Kron, security advocate at security awareness vendor KnowBe4, added that the incident illustrates how even a “seasoned professional can fall victim to a well-done phishing attack”.
“This is one reason we should avoid shaming users who have made a mistake and potentially clicked on a link or performed some other action,” Kron said. “Organisations should work toward a security culture that celebrates reporting.”
Kron added: “Hunt deserves kudos for speaking about it publicly, admitting his error and using this to help educate others.”
